CVE ID: CVE-2019-15846 Date: 2019-09-02 (CVE assigned) Credits: Zerons for the initial report Qualys https://www.qualys.com/ for the analysis Version(s): all versions up to and including 4.92.1 Issue: A local or remote attacker can execute programs with root privileges. Conditions to be vulnerable =========================== If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected. Details ======= The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC. For more details see doc/doc-txt/cve-2019-15846/ in the source code repository. Mitigation ========== Do not offer TLS. (This mitigation is not recommended.) For a attacking TLS client the following ACL snippet should work: # to be prepended to your mail acl (the ACL referenced # by the acl_smtp_mail main config option) deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}} deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}} Fix === Download and build a fixed version: Tarballs: https://ftp.exim.org/pub/exim/exim4/ Git: https://github.com/Exim/exim.git - tag exim-4.92.2 - branch exim-4.92.2+fixes The tagged commit is the officially released version. The +fixes branch isn't officially maintained, but contains the security fix *and* useful fixes. If you can't install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources we will support you in backporting the fix. (Please note, the Exim project officially doesn't support versions prior the current stable version.) Timeline -------- 2019-07-21 - Report from Zerons to security@exim.org ....-..-.. - Analysis by Qualys - Fix and tests 2019-09-02 - CVE assigned 2019-09-03 - Details to distros@vs.openwall.org, exim-maintainers@exim.org - Grant access to the security repo 2019-09-04 - Heads-Up to oss-security@lists.openwall.com, exim-users@exim.org 2019-09-06 - 10.00 UTC Coordinated Release Date - Disclosure to oss-security, exim-users, public repositories