CERTFR-2019-ALE-009
Le CERT-FR a connaissance de cas d'exploitation de la vulnérabilité CVE-2019-10149 qui affecte Exim et permet une exécution de commande arbitraire à distance. Cette vulnérabilité est triviale à exploiter, d'autant plus que du code d'attaque est disponible publiquement sur internet. Le CERT-FR recommande donc fortement l'application du correctif sorti le 05 juin 2019, et ce dans les plus brefs délais. La commande suivante peut servir à détecter des tentatives d'exploitation en cherchant dans les journaux d'activités. Elle a été testée sur un système Debian avec une configuration par défaut. \[pastacode lang="bash" manual="grep%20'%24%7Brun'%20%2Fvar%2Flog%2Fexim4%2Fmainlog" message="" highlight="" provider="manual"/\] Exemples de sortie: \[pastacode lang="bash" manual="2019-06-11%2014%3A01%3A29%201hal5N-0001Hx-3T%20\*\*%20%24%7Brun%3C%5BCOMMANDE%20EXECUTEE%5D%3E%7D%40localhost%3A%20Too%20many%20%22Received%22%20headers%20-%20suspected%20mail%20loop%0A2019-06-11%2014%3A02%3A14%201hal66-0001I7-MN%20\*\*%20%24%7Brun%3C%5BCOMMANDE%20EXECUTEE%5D%3E%7D%40localhost%3A%20Too%20many%20%22Received%22%20headers%20-%20suspected%20mail%20loop%0A2019-06-11%2014%3A03%3A11%201hal70-0001IH-VN%20\*\*%20%24%7Brun%3C%5BCOMMANDE%20EXECUTEE%5D%3E%7D%40localhost%3A%20Too%20many%20%22Received%22%20headers%20-%20suspected%20mail%20loop%0A2019-06-11%2014%3A07%3A44%201halBQ-0001Ij-2D%20\*\*%20%24%7Brun%3C%5BCOMMANDE%20EXECUTEE%5D%3E%7D%40localhost%3A%20Too%20many%20%22Received%22%20headers%20-%20suspected%20mail%20loop" message="" highlight="" provider="manual"/\]
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| exim | exim | 4.92 |
Timeline
- Jun 4, 2019 CVE Published
- Jun 10, 2019 PoC Published
- Jun 13, 2019 PoC Published
- Jun 17, 2019 PoC Published
- Aug 23, 2019 PoC Published
- Aug 26, 2019 PoC Published
- May 28, 2020 PoC Published
- May 29, 2020 PoC Published
- Jun 16, 2020 PoC Published
- Oct 9, 2020 PoC Published
- Oct 22, 2020 PoC Published
- Oct 22, 2020 PoC Published
References
- [oss-security] 20190605 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit mailing-list
- USN-4010-1 vendor-advisory
- [oss-security] 20190605 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit mailing-list
- [oss-security] 20190605 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit mailing-list
- DSA-4456 vendor-advisory
- 20190605 [SECURITY] [DSA 4456-1] exim4 security update mailing-list
- GLSA-201906-01 vendor-advisory
- [oss-security] 20190606 Re: CVE-2019-10149: Exim 4.87 to 4.91: possible remote exploit mailing-list
- 108679 vdb
- openSUSE-SU-2019:1524 vendor-advisory
- 20190611 The Return of the WIZard: RCE in Exim (CVE-2019-10149) mailing-list
- [oss-security] 20190725 Re: Statistics for distros lists updated for 2019Q2 mailing-list
- [oss-security] 20190725 Re: Statistics for distros lists updated for 2019Q2 mailing-list
- [oss-security] 20190726 Re: Statistics for distros lists updated for 2019Q2 mailing-list
- [oss-security] 20210504 21Nails: Multiple vulnerabilities in Exim mailing-list
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10149 url
- https://www.exim.org/static/doc/security/CVE-2019-10149.txt url
- http://packetstormsecurity.com/files/153218/Exim-4.9.1-Remote-Command-Execution.html url
- http://packetstormsecurity.com/files/153312/Exim-4.91-Local-Privilege-Escalation.html url
- http://packetstormsecurity.com/files/154198/Exim-4.91-Local-Privilege-Escalation.html url
…and 1 more