Skip to main content

CVE-2019-15846 Exim "A local or remote attacker can execute programs with root privileges."

lorio

Version: up to and including 4.92.1 Issue: A local or remote attacker can execute programs with root privileges. Details: Will be made public at CRD. Currently there is no known exploit, but a rudimentary POC exists. Coordinated Release Date (CRD) for Exim 4.92.2: 2019-09-06 10:00 UTC

https://seclists.org/oss-sec/2019/q3/192

Comments

23 comments

Date Votes
  • cPanelMichael
    Hello, The following knowledge base article exists for this report:
    0
  • wanico
    Hi cPanel, CVE-2019-15846 What is the workaround patch for this vulnerability and when can we expect a patched Exim release via the upgrade channels? I believe the release date is today.
    0
  • andyf
    Hello, The following knowledge base article exists for this report:
    0
  • keat63
    From a terminal window, if I run the following exim --version |head -1
    The results would indicate that I'm already running 4.92 #2, and have been since March this year. "Exim version 4.92 #2 built 17-Mar-2019 12:58:50" Although WHM service status does say 4.92-1 ??? and root@xxxxxxx [~]# whmapi1 installed_versions packages=1|grep exim exim: 4.92-1 - exim-4.92-1.cp1180.x86_64
    0
  • Paul Shultz
    Release tarballs for (exim-4.92.2) have been publicly released Index of /pub/exim/exim4/ Lets see how quick the cPanel Exim packages take. For critical issues such as this where the exploit code is already there, I hope its within the next 30min, or 9.00am in Texas
    0
  • andyf
    From a terminal window, if I run the following exim --version |head -1
    The results would indicate that I'm already running 4.92 #2, and have been since March this year. "Exim version 4.92 #2 built 17-Mar-2019 12:58:50" Although WHM service status does say 4.92-1 ??? and root@xxxxxxx [~]# whmapi1 installed_versions packages=1|grep exim exim: 4.92-1 - exim-4.92-1.cp1180.x86_64

    You're confusing cpanel's own -1 or -2 revision with the exim minor point release of .1 or .2
    0
  • cPanelMichael
    Hello Everyone, As of Friday, September 6, 2019, Exim has published a fix for CVE-2019-15846 and cPanel & WHM version 82.0.14 was published with a version of Exim that includes the fix. We'll continue to provide updates on this report at the link below:
    0
  • andyf
    @cPanelMichael How long before this hits RELEASE?
    0
  • cPanelMichael
    @andyf, Tentatively looking at early next week for the rollout of this patch to the additional supported release tiers. In the meantime, you could use WHM >> Update Preferences to switch over to the CURRENT release tier: Thank you. Edit 1: cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.
    0
  • cPanelMichael
    Hello Everyone, To update, cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue. Thank you.
    0
  • Paul Shultz
    Edit 1: cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.

    Good work with speedy roll-out, thanks.
    0
  • parsley93
    Hello everyone. I've got couple servers with CloudLinux release 7.6 with version 11.70.0.69 and version of exim - exim-4.91-4.cp1170.x86_64 There is a posibility to upgrade exim to version 4.92.2 without upgrade version of cpanel and server to avoid vulnerability of exim in CVE-2019-15846 ? I tried to update via yum update exim but i didn't work. Anyone got this problem ? And how can I solve this problem?
    0
  • Babene7
    I don't think that's possible, the LTS patch only goes back to version 78. You should update those servers to the latest cPanel version. Why do you keep them outdated?
    0
  • cPanelMichael
    I've got couple servers with CloudLinux release 7.6 with version 11.70.0.69 and version of exim - exim-4.91-4.cp1170.x86_64 There is a posibility to upgrade exim to version 4.92.2 without upgrade version of cpanel and server to avoid vulnerability of exim in CVE-2019-15846 ?

    All versions of cPanel & WHM below the stated versions under the Releases section on the Thank you.
    0
  • parsley93
    I don't think that's possible, the LTS patch only goes back to version 78. You should update those servers to the latest cPanel version. Why do you keep them outdated?

    I've got old version of WHMCS which is quite incompatible with 78 and 80 version of Cpanel. Second reason - costs - unfortunately employer is reluctant to upgrade, which is annoying. and these servers are badly neglected - so I try to do what I can.
    0
  • cPanelMichael
    Hello @parsley93, I recommend reaching out to
    0
  • oldie
    I've got old version of WHMCS which is quite incompatible with 78 and 80 version of Cpanel. Second reason - costs - unfortunately employer is reluctant to upgrade, which is annoying. and these servers are badly neglected - so I try to do what I can.

    I feel your pain. from
    0
  • cPanelMichael
    So it appears you can mitigate by not offering TLS on exim [easy to do via WHM] and or by adding the two ACL snippet deny commands listed above - it looks like its possible in WHM but not entirely sure or which section to do it in.

    Hello @oldie, While I understand the manual mitigation step is referenced by Exim on the link you provided, it's important to understand this workaround is not tested or supported by cPanel & WHM. Editing a server's Exim configuration with those changes could potentially lead to email deliverability issues. Furthermore, the referenced workaround is not confirmed to mitigate the reported vulnerability. The safest approach here is to upgrade cPanel & WHM to a supported version, or work with us to help troubleshoot any technical issues that are preventing you from upgrading to a supported cPanel & WHM version. Thank you.
    0
  • oldie
    Hello @oldie, The safest approach here is to upgrade cPanel & WHM to a supported version, or work with us to help troubleshoot any technical issues that are preventing you from upgrading to a supported cPanel & WHM version. Thank you.

    Unfortunately working with legacy app with legacy php so unless cPanel get generous and backport exim port for WHM 76 then have to look for other options/workarounds.
    0
  • oldie
    Does using an external email provider such as zoho or gsuite and set mx to their servers mitigate this exim issue, even if the cPanel server generates and sends emails [such as CFS/php script generated email] ?
    0
  • cPanelMichael
    Does using an external email provider such as zoho or gsuite and set mx to their servers mitigate this exim issue, even if the cPanel server generates and sends emails [such as CFS/php script generated email] ?

    Hello @oldie, The vulnerability is applicable to unpatched cPanel & WHM servers with Exim enabled in WHM >> Service Manager. Using an external email provider does not mitigate the vulnerability unless you've disabled the Exim service. Thank you.
    0
  • cPanelMichael
    Unfortunately working with legacy app with legacy php so unless cPanel get generous and backport exim port for WHM 76 then have to look for other options/workarounds.

    CloudLinux is one alternative to consider here due to it's support for legacy PHP versions as part of it's PHP Selector feature: https://www.cloudlinux.com/php-selector https://docs.cpanel.net/search/?product=all&q=knowledge-baseHow+to+purchase+CloudLinux Thank you.
    0
  • ciao70
    Hello, [security] Fixed case CPANEL-29669: Updated Exim for CVE-2019-16928. Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command. 11.82.0.16
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post