In a security alert shared with ZDNet earlier today, Qualys, a cyber-security firm specialized in cloud security and compliance, said it found a very dangerous vulnerability in Exim installations running versions 4.87 to 4.91.
The vulnerability is described as a remote command execution -- different, but just as dangerous as a remote code execution flaw -- that lets a local or remote attacker run commands on the Exim server as root.
Qualys said the vulnerability can be exploited instantly by a local attacker that has a presence on an email server, even with a low-privileged account.
But the real danger comes from remote hackers exploiting the vulnerability, who can scan the internet for vulnerable servers, and take over systems.
"To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes)," researchers said.
"However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist."
Furthermore, the Qualys team says that when Exim is in certain non-default configurations, instant exploitation is also possible in remote scenarios.
Vulnerability patched... by accident
The vulnerability was patched with the release of Exim 4.92, on February 10, 2019, but at the time the Exim team released v4.92, they didn't know they fixed a major security hole.
This was only recently discovered by the Qualys team while auditing older Exim versions. Now, Qualys researchers are warning Exim users to update to the 4.92 version to avoid having their servers taken over by attackers. Per the same June 2019 report on email server market share, only 4.34% of all Exim servers run the latest 4.92 release.
This Exim flaw is currently tracked under the CVE-2019-10149 identifier, but Qualys refers to it under the name of "Return of the WIZard" because the vulnerability resembles the ancient WIZ and DEBUG vulnerabilities that impacted the Sendmail email server back in the 90s.
AI, blockchain, servers, smartphones and more: Research round-up