Vulnerabilities > CVE-2019-15846
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4517.NASL description 'Zerons last seen 2020-06-01 modified 2020-06-02 plugin id 128559 published 2019-09-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128559 title Debian DSA-4517-1 : exim4 - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4517. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(128559); script_version("1.2"); script_cvs_date("Date: 2019/12/31"); script_cve_id("CVE-2019-15846"); script_xref(name:"DSA", value:"4517"); script_name(english:"Debian DSA-4517-1 : exim4 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "'Zerons' and Qualys discovered that a buffer overflow triggerable in the TLS negotiation code of the Exim mail transport agent could result in the execution of arbitrary code with root privileges." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/exim4" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/exim4" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/exim4" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4517" ); script_set_attribute( attribute:"solution", value: "Upgrade the exim4 packages. For the oldstable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u6. For the stable distribution (buster), this problem has been fixed in version 4.92-8+deb10u2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/06"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/09"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"exim4", reference:"4.92-8+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"exim4-base", reference:"4.92-8+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"exim4-config", reference:"4.92-8+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"exim4-daemon-heavy", reference:"4.92-8+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"exim4-daemon-light", reference:"4.92-8+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"exim4-dev", reference:"4.92-8+deb10u2")) flag++; if (deb_check(release:"10.0", prefix:"eximon4", reference:"4.92-8+deb10u2")) flag++; if (deb_check(release:"9.0", prefix:"exim4", reference:"4.89-2+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"exim4-base", reference:"4.89-2+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"exim4-config", reference:"4.89-2+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"exim4-daemon-heavy", reference:"4.89-2+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"exim4-daemon-heavy-dbg", reference:"4.89-2+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"exim4-daemon-light", reference:"4.89-2+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"exim4-daemon-light-dbg", reference:"4.89-2+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"exim4-dbg", reference:"4.89-2+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"exim4-dev", reference:"4.89-2+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"eximon4", reference:"4.89-2+deb9u6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2019-1310.NASL description Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846 . There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.(CVE-2019-16928) last seen 2020-06-01 modified 2020-06-02 plugin id 130280 published 2019-10-28 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130280 title Amazon Linux AMI : exim (ALAS-2019-1310) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2019-1310. # include("compat.inc"); if (description) { script_id(130280); script_version("1.3"); script_cvs_date("Date: 2019/12/18"); script_cve_id("CVE-2019-16928"); script_xref(name:"ALAS", value:"2019-1310"); script_name(english:"Amazon Linux AMI : exim (ALAS-2019-1310)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846 . There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.(CVE-2019-16928)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2019-1310.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update exim' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-greylist"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-mon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-pgsql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/27"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"exim-4.92-1.25.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"exim-debuginfo-4.92-1.25.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"exim-greylist-4.92-1.25.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"exim-mon-4.92-1.25.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"exim-mysql-4.92-1.25.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"exim-pgsql-4.92-1.25.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc"); }
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201909-06.NASL description The remote host is affected by the vulnerability described in GLSA-201909-06 (Exim: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by connecting to the SMTP listener daemon, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 128595 published 2019-09-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128595 title GLSA-201909-06 : Exim: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2019-467FCBB10A.NASL description This is an update fixing CVE-2019-15846. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128566 published 2019-09-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128566 title Fedora 30 : exim (2019-467fcbb10a) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4124-1.NASL description It was discovered that Exim incorrectly handled certain decoding operations. A remote attacker could possibly use this issue to execute arbitrary commands. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128614 published 2019-09-09 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128614 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : exim4 vulnerability (USN-4124-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1911.NASL description 'Zerons last seen 2020-06-01 modified 2020-06-02 plugin id 128556 published 2019-09-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128556 title Debian DLA-1911-1 : exim4 security update NASL family SMTP problems NASL id EXIM_4_92_2.NASL description According to its banner, the version of Exim running on the remote host is prior to 4.92.2. It is, therefore, potentially affected by a remote code execution vulnerability allowing unauthenticated, remote attackers to execute arbitrary code as root via a trailing backslash. last seen 2020-06-01 modified 2020-06-02 plugin id 128553 published 2019-09-06 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128553 title Exim < 4.92.2 NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2093.NASL description exim was updated to fix a security issue : - CVE-2019-15846: Fixed a buffer overflow in SMTP Delivery process where a remote attacker could execute code with root privileges by sending crafted SNI data (boo#1149182). last seen 2020-06-01 modified 2020-06-02 plugin id 128606 published 2019-09-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128606 title openSUSE Security Update : exim (openSUSE-2019-2093) NASL family Fedora Local Security Checks NASL id FEDORA_2019-AE361E20C2.NASL description This is an update fixing CVE-2019-15846. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128577 published 2019-09-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128577 title Fedora 29 : exim (2019-ae361e20c2) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2019-1277.NASL description Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.(CVE-2019-15846) last seen 2020-06-01 modified 2020-06-02 plugin id 128617 published 2019-09-10 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128617 title Amazon Linux AMI : exim (ALAS-2019-1277) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_61DB9B88D09111E98D4197657151F8C2.NASL description Exim developers report : If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected. The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC. For more details see the document qualys.mbx last seen 2020-06-01 modified 2020-06-02 plugin id 128585 published 2019-09-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128585 title FreeBSD : Exim -- RCE with root privileges in TLS SNI handler (61db9b88-d091-11e9-8d41-97657151f8c2) NASL family Fedora Local Security Checks NASL id FEDORA_2019-1ED7BBB09C.NASL description This is an update fixing CVE-2019-15846. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 129605 published 2019-10-07 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129605 title Fedora 31 : exim (2019-1ed7bbb09c)
The Hacker News
id THN:A947D0153E6D676ABBCCAB69CD1E73DB last seen 2019-09-30 modified 2019-09-30 published 2019-09-30 reporter The Hacker News source https://thehackernews.com/2019/09/exim-email-security-vulnerability.html title New Critical Exim Flaw Exposes Email Servers to Remote Attacks — Patch Released id THN:FF07DE65AF5F03EDE8E6AF8F1D180CA1 last seen 2019-09-06 modified 2019-09-06 published 2019-09-06 reporter The Hacker News source https://thehackernews.com/2019/09/exim-email-server-vulnerability.html title Exim TLS Flaw Opens Email Servers to Remote 'Root' Code Execution Attacks
References
- http://exim.org/static/doc/security/CVE-2019-15846.txt
- http://exim.org/static/doc/security/CVE-2019-15846.txt
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00024.html
- http://www.openwall.com/lists/oss-security/2019/09/06/2
- http://www.openwall.com/lists/oss-security/2019/09/06/2
- http://www.openwall.com/lists/oss-security/2019/09/06/4
- http://www.openwall.com/lists/oss-security/2019/09/06/4
- http://www.openwall.com/lists/oss-security/2019/09/06/5
- http://www.openwall.com/lists/oss-security/2019/09/06/5
- http://www.openwall.com/lists/oss-security/2019/09/06/6
- http://www.openwall.com/lists/oss-security/2019/09/06/6
- http://www.openwall.com/lists/oss-security/2019/09/06/8
- http://www.openwall.com/lists/oss-security/2019/09/06/8
- http://www.openwall.com/lists/oss-security/2019/09/07/1
- http://www.openwall.com/lists/oss-security/2019/09/07/1
- http://www.openwall.com/lists/oss-security/2019/09/07/2
- http://www.openwall.com/lists/oss-security/2019/09/07/2
- http://www.openwall.com/lists/oss-security/2019/09/08/1
- http://www.openwall.com/lists/oss-security/2019/09/08/1
- http://www.openwall.com/lists/oss-security/2019/09/09/1
- http://www.openwall.com/lists/oss-security/2019/09/09/1
- https://exim.org/static/doc/security/CVE-2019-15846.txt
- https://exim.org/static/doc/security/CVE-2019-15846.txt
- https://lists.debian.org/debian-lts-announce/2019/09/msg00004.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FT3GY7V7SR2RHKNZNQCGXFWUSILVSZNU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FT3GY7V7SR2RHKNZNQCGXFWUSILVSZNU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDF37AUNETIOXY6ZLQAUBGBVUTMMV242/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDF37AUNETIOXY6ZLQAUBGBVUTMMV242/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SBNHDAF74RI6VK2JVSEIE3VYNL7JJDYM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SBNHDAF74RI6VK2JVSEIE3VYNL7JJDYM/
- https://seclists.org/bugtraq/2019/Sep/13
- https://seclists.org/bugtraq/2019/Sep/13
- https://security.gentoo.org/glsa/201909-06
- https://security.gentoo.org/glsa/201909-06
- https://usn.ubuntu.com/4124-1/
- https://usn.ubuntu.com/4124-1/
- https://usn.ubuntu.com/4124-2/
- https://usn.ubuntu.com/4124-2/
- https://www.debian.org/security/2019/dsa-4517
- https://www.debian.org/security/2019/dsa-4517
- https://www.kb.cert.org/vuls/id/672565
- https://www.kb.cert.org/vuls/id/672565
- https://www.openwall.com/lists/oss-security/2019/09/06/1
- https://www.openwall.com/lists/oss-security/2019/09/06/1