New command execution vulnerability affects half of email servers

An investigation of the web application security specialists from the firm Qualys has revealed that more than half of the email servers are affected by a critical remote command execution (RCE) vulnerability.

Experts report that this flaw affects the Mail Transfer Agent (MTA) known as Exim, software that runs the email servers to relay emails from senders to recipients.

In a survey conducted among all conventional mail servers, 57% of these (about 507,300) told to use Exim, although other research works claim that the total implementations of this software exceeds 5 million, so the scope of this vulnerability is considerable.

Web application security specialists from the cloud security firm published a report stating that they have found a dangerous vulnerability in Exim implementations running version from 4.87 to 4.91.

“This is a remote command execution vulnerability (not to be confused with remote code execution) that allows malicious actors, whether local or remote, to execute commands on the Exim server with root user privileges”, mentions the experts’ report.

The vulnerability could be exploited immediately by a local hacker with presence on the email server, no matter how the attacker uses a limited-privilege user account. But the worst possible scenario is the remote exploitation of the vulnerability, as hackers could scan the Internet for vulnerable servers to take full control of a system.

“An attacker must keep the connection to the vulnerable server active for at least seven days to exploit this vulnerability”, added the web application security specialists. Therefore, hackers would have to transmit a minimal amount of data on some minute intervals. “However, Exim is a very complex code, so it is likely that other exploitation methods are more efficient than those reported in our report”, the experts added.

According to the experts from the International Institute of Cyber Security (IICS), the vulnerability was corrected with the release of Exim 4.92, albeit in a circumstantial way, as the developers were not aware of the existence of the vulnerability.