Attackers gain root privileges in the system from the outside. An update helps
Exim developers have released a security update that closes a critical hole in the mail server. The gap can be exploited via the Internet and affects all installations up to Exim 4.92.1 offering encryption via TLS. The update should be installed as soon as possible.
The error can be exploited via a specially prepared Server Name Indicator (SNI), the developers explain in their advisory to CVE-2019-15846. Affected are both, the TLS library GnuTLS and OpenSSL. As a workaround TLS can be switched off, which the Exim developers advise against. Alternatively, you can use mail ACLs to prevent an attack, but it’s not clear if that really is enough for protection. Therefore, it is strongly recommended to update to the new version 4.92.2 as soon as possible.
Exploit not yet public
A security researcher named Zerons had already reported the error in July to the Exim developers. The security company Qualys then analyzed it and developed a simple demo exploit that exploits the gap to add a new user to the passwd file.
The demo exploit has not yet been released, but it will not be long before publicly available exploits exist. Exim is one of the most widely used mail servers and is preferably used on Linux systems. The Shodan web service says that Exim is installed on more than 5 million servers worldwide, of which 175,000 are in Germany.