Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
3

Exim Unauthenticated Remote Code Execution via SNI Trailing Backslash

Disclosure Date: September 06, 2019 Last updated March 03, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. If the Exim server accepts TLS connections, the vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake.

Add Assessment

5
Ratings
  • Attacker Value
    Very High
Technical Analysis

Exim is run on approximately 57% of the publicly reachable mail servers on the Internet, based on an August 2019 study performed by E-Soft, Inc. 1

Log in to Add Reply
3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessVulnerable in default configuration
Technical Analysis

Due to public exploits being available : https://github.com/synacktiv/Exim-CVE-2019-15846, and the fact that Exim is installed on a large number of mail servers, the value to an attacker lies in the fact that this requires no authentication.

There is a deeper explanation of the vulnerability here: https://www.synacktiv.com/posts/exploit/scraps-of-notes-on-exploiting-exim-vulnerabilities.html

Log in to Add Reply

General Information

Offensive Application
remote
Utility Class
rce
Ports
Unknown
OS
Unknown
Vulnerable Versions
<= 4.92.1
Prerequisites
Unknown
Discovered By
Zerons <sironhide0null@gmail.com>
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Never
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Very Weak
Shelf Life
Unknown
Userbase/Installbase
Very Large
Patch Effectiveness
Very High
Technical Analysis