Exim MTA Vulnerability (The Return of the WIZard – CVE-2019-10149)

Last week, Qualys issued a security advisory for a vulnerability we discovered during a code review of Exim. This vulnerability can lead to Remote Command Injection, and is currently being actively attacked in the wild. This blog will show you how to quickly identify assets that are impacted by this vulnerability.

The Vulnerability

This vulnerability exists in all versions of Exim’s MTA from version 4.87 to 4.91. Exploitation of the vulnerability only requires a malicious email to be sent to a vulnerable server, and injected commands will typically run as root. There are multiple ways that Exim can be configured, and some of these will allow for faster exploitation, while others may require a week to fully exploit. For technical details on this vulnerability please see our security advisory.

Detecting CVE-2019-10149

The best method for identifying vulnerable hosts is through the Qualys Cloud Agent or via authenticated scanning. Several QIDs have been released for various Linux distros, as well as a generic remote Potential QID that will identify Exim hosts.

Finding Vulnerable Hosts

The fastest way to locate vulnerable hosts is though the Qualys Threat Protection Live Feed as seen here:

Simply click on the impacted assets number to see a list of hosts with this vulnerability. For customers without Threat Protection, you can manually search for the CVE in AssetView, by using this search string:

vulnerabilities.vulnerability.cveIds:`CVE-2019-10149`

This will return a list of all impacted hosts. The results can also be grouped by Vulnerability, which will allow you to determine which distro patches are needed. To filter out the Potential detections (though these should be evaluated), you can modify the query like this:

vulnerabilities:(vulnerability.cveIds:`CVE-2019-10149` and typeDetected:`Confirmed`)

Remediation

To remediate this vulnerability, Exim must be updated to version 4.92. Check your Linux OS vendor for updated packages.