Vulnerabilities > CVE-2019-15846

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
exim
debian
critical
nessus

Summary

Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.

Vulnerable Configurations

Part Description Count
Application
Exim
138
OS
Debian
3

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4517.NASL
    description'Zerons
    last seen2020-06-01
    modified2020-06-02
    plugin id128559
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128559
    titleDebian DSA-4517-1 : exim4 - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4517. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128559);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2019-15846");
      script_xref(name:"DSA", value:"4517");
    
      script_name(english:"Debian DSA-4517-1 : exim4 - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "'Zerons' and Qualys discovered that a buffer overflow triggerable in
    the TLS negotiation code of the Exim mail transport agent could result
    in the execution of arbitrary code with root privileges."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/exim4"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/exim4"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/buster/exim4"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2019/dsa-4517"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the exim4 packages.
    
    For the oldstable distribution (stretch), this problem has been fixed
    in version 4.89-2+deb9u6.
    
    For the stable distribution (buster), this problem has been fixed in
    version 4.92-8+deb10u2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/09");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"10.0", prefix:"exim4", reference:"4.92-8+deb10u2")) flag++;
    if (deb_check(release:"10.0", prefix:"exim4-base", reference:"4.92-8+deb10u2")) flag++;
    if (deb_check(release:"10.0", prefix:"exim4-config", reference:"4.92-8+deb10u2")) flag++;
    if (deb_check(release:"10.0", prefix:"exim4-daemon-heavy", reference:"4.92-8+deb10u2")) flag++;
    if (deb_check(release:"10.0", prefix:"exim4-daemon-light", reference:"4.92-8+deb10u2")) flag++;
    if (deb_check(release:"10.0", prefix:"exim4-dev", reference:"4.92-8+deb10u2")) flag++;
    if (deb_check(release:"10.0", prefix:"eximon4", reference:"4.92-8+deb10u2")) flag++;
    if (deb_check(release:"9.0", prefix:"exim4", reference:"4.89-2+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"exim4-base", reference:"4.89-2+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"exim4-config", reference:"4.89-2+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"exim4-daemon-heavy", reference:"4.89-2+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"exim4-daemon-heavy-dbg", reference:"4.89-2+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"exim4-daemon-light", reference:"4.89-2+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"exim4-daemon-light-dbg", reference:"4.89-2+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"exim4-dbg", reference:"4.89-2+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"exim4-dev", reference:"4.89-2+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"eximon4", reference:"4.89-2+deb9u6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1310.NASL
    descriptionExim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846 . There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.(CVE-2019-16928)
    last seen2020-06-01
    modified2020-06-02
    plugin id130280
    published2019-10-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130280
    titleAmazon Linux AMI : exim (ALAS-2019-1310)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2019-1310.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130280);
      script_version("1.3");
      script_cvs_date("Date: 2019/12/18");
    
      script_cve_id("CVE-2019-16928");
      script_xref(name:"ALAS", value:"2019-1310");
    
      script_name(english:"Amazon Linux AMI : exim (ALAS-2019-1310)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Exim 4.92 through 4.92.2 allows remote code execution, a different
    vulnerability than CVE-2019-15846 . There is a heap-based buffer
    overflow in string_vformat in string.c involving a long EHLO
    command.(CVE-2019-16928)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2019-1310.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update exim' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-greylist");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-mon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:exim-pgsql");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"exim-4.92-1.25.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"exim-debuginfo-4.92-1.25.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"exim-greylist-4.92-1.25.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"exim-mon-4.92-1.25.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"exim-mysql-4.92-1.25.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"exim-pgsql-4.92-1.25.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201909-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201909-06 (Exim: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by connecting to the SMTP listener daemon, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id128595
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128595
    titleGLSA-201909-06 : Exim: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-467FCBB10A.NASL
    descriptionThis is an update fixing CVE-2019-15846. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128566
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128566
    titleFedora 30 : exim (2019-467fcbb10a)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4124-1.NASL
    descriptionIt was discovered that Exim incorrectly handled certain decoding operations. A remote attacker could possibly use this issue to execute arbitrary commands. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128614
    published2019-09-09
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128614
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : exim4 vulnerability (USN-4124-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1911.NASL
    description'Zerons
    last seen2020-06-01
    modified2020-06-02
    plugin id128556
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128556
    titleDebian DLA-1911-1 : exim4 security update
  • NASL familySMTP problems
    NASL idEXIM_4_92_2.NASL
    descriptionAccording to its banner, the version of Exim running on the remote host is prior to 4.92.2. It is, therefore, potentially affected by a remote code execution vulnerability allowing unauthenticated, remote attackers to execute arbitrary code as root via a trailing backslash.
    last seen2020-06-01
    modified2020-06-02
    plugin id128553
    published2019-09-06
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128553
    titleExim < 4.92.2
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2093.NASL
    descriptionexim was updated to fix a security issue : - CVE-2019-15846: Fixed a buffer overflow in SMTP Delivery process where a remote attacker could execute code with root privileges by sending crafted SNI data (boo#1149182).
    last seen2020-06-01
    modified2020-06-02
    plugin id128606
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128606
    titleopenSUSE Security Update : exim (openSUSE-2019-2093)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-AE361E20C2.NASL
    descriptionThis is an update fixing CVE-2019-15846. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128577
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128577
    titleFedora 29 : exim (2019-ae361e20c2)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1277.NASL
    descriptionExim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.(CVE-2019-15846)
    last seen2020-06-01
    modified2020-06-02
    plugin id128617
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128617
    titleAmazon Linux AMI : exim (ALAS-2019-1277)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_61DB9B88D09111E98D4197657151F8C2.NASL
    descriptionExim developers report : If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected. The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC. For more details see the document qualys.mbx
    last seen2020-06-01
    modified2020-06-02
    plugin id128585
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128585
    titleFreeBSD : Exim -- RCE with root privileges in TLS SNI handler (61db9b88-d091-11e9-8d41-97657151f8c2)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-1ED7BBB09C.NASL
    descriptionThis is an update fixing CVE-2019-15846. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129605
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129605
    titleFedora 31 : exim (2019-1ed7bbb09c)

The Hacker News

References