Bug found impacting more than half of email servers

By Dylan Bushell-Embling
Thursday, 06 June, 2019

Cloud security and compliance company Qualys says it has found a major vulnerability in mail transfer agent Exim that impacts over half of the internet’s email servers.

The vulnerability in Exim versions 4.87 to 4.91 allows remote command execution that could enable both local and remote attackers to run commands at the root of Exim servers.

Qualys has named the vulnerability “the Return of the WIZard” due to its similarities to WIZ vulnerability that impacted the Sendmail email server in 1999.

According to a security advisory released by the company, the “trivially exploitable” vulnerability allows attackers to execute arbitrary commands without needing to exploit memory corruption or return-oriented programming.

The vulnerability can be exploited instantly by a local attacker. Remote attacks require specific non-default configurations to be exploited instantly, but attackers can remotely exploit the vulnerability in the default Exim configuration by keeping a connection to the vulnerable server open for seven days, transmitting one byte every few minutes.

“However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist,” the advisory states.

The vulnerability was fixed in version 4.92, which was released in February and is the latest stable release, but the change that plugged the security gap was not classified as a security fix, suggesting it was plugged by accident.

Qualys expects exploits taking advantage of the vulnerability to be published within days.

Image credit: ©stock.adobe.com/au/sdecoret

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.