The world’s most popular mail server is vulnerable to a remote command execution flaw
Exim is the world’s most popular mail server, with 57% of the mail servers connected to the web running Exim (as of June 2019).
The vulnerability reported by Qualys (CVE-2019-10149) affects Exim versions 4.87 to 4.91 inclusive running on several Linux distros, going back as far as April 2018.
According to the security advisory (https://www.openwall.com/lists/oss-security/2019/06/05/4) :
This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist.
The vulnerability is a remote Command execution (not code) vulnerability. An attacker can execute arbitrary commands on the target server as root without the need to corrupt memory or upload new software.
Users on the local network can cause Exim to execute arbitrary commands simply by sending an email to a specially formed email address. Remote exploitation is more complex but Qualys advise that they expect easier to implement exploits will soon be discovered in the complex Exim source code.
This underlines the importance of promptly installing security patches and the use of regular external vulnerability scans to identify network devices that have unpatched vulnerabilities.