Exim Exploit: What You Need to Know
On Wednesday 4th September 2019, Exim maintainers announced that they had received a report of a potential remote exploit in Exim, in versions up to and including 4.92.2.
CVE-2019-15846 is the new unauthenticated remote code execution vulnerability in the Exim message transfer agent. It allows remote attackers to execute arbitrary code as root via a trailing backslash.
How do I protect against it?
This vulnerability has been patched in version 4.92.2 and all users have been urged to update immediately.
First, check what version of WHM/cPanel you’re running via SSH: /usr/local/cpanel/cpanel -V
Then check what version of Exim you have installed via SSH: rpm -q exim
You should get the following patched responses:
- Patched response on version 82 and the EDGE tier: exim-4.92-3.cp1180.x86_64
- Patched response on LTS version 78: exim-4.92-5.cp1178.x86_64
If the resulting responses identify that your version is (or is older than) 4.92.2, then your version of Exim may be vulnerable. You can then confirm this by running: rpm -q –changelog exim | grep CVE-2019-15846
Updating
If you’ve confirmed that the version you are running is vulnerable, update the Exim version in cPanel as follows:
- /scripts/upcp
- /scripts/check_cpanel_rpms –fix –long-list
You should get an output similar to: Applied upstream patch for CVE-2019-15846
If you are using Exim but not with cPanel or WHM, update using your OS software package updater.
For any further information on CVE-2019-15846, you can view cPanel’s supporting documentation here.
Support
The UKFast team is more than happy to help answer any questions you may have about your security or carrying out the above updates. Please don’t hesitate to contact the UKFast support team on 0800 923 0605.