Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY ALERT: Remote Code Execution (RCE) Vulnerability in Exim MTA (CVE-2019-10149)

    • Updated:
    • 17 Jun 2019
    • Product/Version:
    • Deep Security All.All
    • Platform:
    • Linux - Red Hat RHEL 6 64-bit
    • Linux - Red Hat RHEL 7 64-bit
Summary

Updated on June 19, 2019 - New detection information added

On June 3, 2019, some information came to light about a critical vulnerability (CVE-2019-10149) in the popular mail transfer agent (MTA) Exim on the Open Source Security (OSS) mailing list which highlighted a remote code execution (RCE) vulnerability in versions 4.87 through 4.91. 

On June 14, 2019, it was also reported by Microsoft MSRC that an active Linux worm leveraging this vulnerability may be in the wild.

Trend Micro also has a more indepth blog on the issue here: Hacker Groups Pounce on Millions of Vulnerable Exim Servers.

 

 
Please note, this is not a Trend Micro specific vulnerability.
 
Details
Public

Vendor Solution

The vulnerability has been patched in version 4.92, which is currently available.

In addition, the maintainers for Exim have announced a public fix for the vulnerability which can be backported to all affected versions (4.87 - 4.91), although these are now technically said to be no longer officially supported.

 

Trend Micro Recommendation and Solutions

As with any vulnerability, Trend Micro highly recommends that users apply all critical patches and fixes that vendors provide for security issues as soon as possible. These patches will provide the strongest level of defense against any potential attacks.

 
Since this vulnerability potentially impacts a critical component in many environments (MTA) - it is strongly recommended that patches or upgrades are applied as quickly as possible.
 

Fortunately, Trend Micro has analyzed the information to see if proactive protection rules and filters may be created to help protect against potential attacks, and has deployed the following:

 

ProductProtection TypeIdentifier
Deep SecurityIntrusion Prevention Rule1009797 - Exim 'deliver_message' Command Injection Vulnerability (CVE-2019-10149)
TippingPointDigitalVaccine (DV) Filter35520: SMTP: Exim Internet Mailer Command Injection Vulnerability
Anti-Malware  ProductsPattern File DetectionTrojan.SH.MIXBASH.A
 
As previously mentioned, there is now news of an active Linux worm exploiting this particular vulnerability which makes getting protection in place as soon as possible critical.  Trend Micro is actively monitoring and researching to ensure protection against these new exploits are in place.

 

Reference(s)

Premium
Internal
Rating:
Category:
Upgrade; Update
Solution Id:
1122972
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.