On Wednesday September 4th, a heads-up notice was posted announcing an upcoming critical patch for the Exim mail server. The announced patch fixes a critical remote code execution vulnerability, which allows a remote or local threat actor to execute programs on a system running a vulnerable version of Exim with root privileges. Due to the criticality of the vulnerability, there will be a coordinated patch release between most major Linux distributions on September 6th, 2019 at 10:00 UTC.
At the time of writing, there are no known active exploits of this vulnerability. However, mnemonic Threat Intelligence expect threat actors are already preparing themselves in order to be able to exploit the vulnerability as soon as the patch becomes available. One must also expect that threat actors are currently trying to identify the vulnerability prior to the release of the patch. We expect vulnerable systems exposing Exim to the internet will be compromised within a short timeframe following the release of the patch. This could allow threat actors to gain a foothold within your organisation.
CVE-2019-15846 affects the following versions of Exim:
- All versions prior to version 4.92.2
- Identify all your systems running Exim, both internally and exposed to the internet.
- Identify if your Linux distribution will be releasing a patch for Exim on September 6th, 2019 at 10:00 UTC
- Install the patch for your Linux distribution as soon as they become available after the 6th of September 2019 10:00 UTC
- Prioritise patching of internet-exposed systems.
What if your Linux distribution is not providing a patch on the announced timestamp?
- Evaluate if the Exim systems exposed to the internet is mission-critical for your business. If not, consider blocking all traffic from the internet to the Exim service.
- If blocking internet traffic towards the Exim service is not an option, you should consider isolating the systems running Exim as much as possible.
Do you want to be updated on mnemonic’s Threat Advisories? Sign up to our email list here.