CVE-2019-10149 is a critical security vulnerability in the Exim mail transfer agent (MTA) software. The flaw is located in Exim versions 4.87 to 4.91 included, and is described as improper validation of recipient address in deliver_message() function in /src/deliver.c which could lead to remote command execution.
How was CVE-2019-10149 discovered?
Qualys researchers came across the remote command execution vulnerability while performing a code review of the latest changes in the Exim mail server. In this case, the RCE vulnerability may allow an attacker to execute arbitrary commands with execv(), as root. It should be noted that no memory corruption or ROP (Return-Oriented Programming) is involved.
According to the researchers’ report, CVE-2019-10149 is exploitable instantly by a local attacker. However, it can also be exploited by a remote attacker in specific non-default configurations.
A remote attack in the default configuration would require the attacker to keep a connection to the vulnerable server open for 7 days, with the condition of transmitting one byte every few minutes. However, because of the extreme complexity of Exim’s code, the researchers cannot guarantee that this attack scenario is unique. There also may be more efficient methods.
Last year, another serious vulnerability was discovered in Exim. The vulnerability which was identified as CVE-2018-6789 resided in all releases of the Exim message transfer agent (more specifically in base64 decode function) without the 4.90.1 version.
The flaw was a buffer overflow one, putting servers at risk of attacks that could execute malicious code. The bug could be exploited by sending specially crafted input to a server running Exim. 400,000 servers were at risk of the vulnerability.
As for CVE-2019-10149, Shodan numbers reveal that vulnerable versions of Exim are currently running on more than 4,800,000 machines. The good news is that CVE-2019-10149 was patched by Exim in version 4.92 of the software on February 10.