CVE-2019-13917
📋 TL;DR
CVE-2019-13917 is a critical remote code execution vulnerability in Exim mail servers that allows attackers to execute arbitrary commands as root in certain configurations. It affects Exim versions 4.85 through 4.92 when using the ${sort } expansion feature with attacker-controlled variables like $local_part or $domain. Organizations running vulnerable Exim configurations are at risk of complete system compromise.
💻 Affected Systems
- Exim
📦 What is this software?
Exim by Exim
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains root shell access on the Exim server, leading to complete system compromise, data theft, and potential lateral movement within the network.
Likely Case
Remote code execution as root on vulnerable Exim servers, allowing attackers to install malware, create backdoors, or use the server as a pivot point.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are applied, though the vulnerability still allows root access on the affected system.
🎯 Exploit Status
Exploits have been publicly available since disclosure. The vulnerability requires specific configuration conditions but is easily exploitable when those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.92.1
Vendor Advisory: http://exim.org/static/doc/security/CVE-2019-13917.txt
Restart Required: Yes
Instructions:
1. Download Exim 4.92.1 or later from exim.org
2. Stop Exim service: systemctl stop exim
3. Install the new version following vendor instructions
4. Restart Exim: systemctl start exim
5. Verify the patch is applied
🔧 Temporary Workarounds
Disable vulnerable sort expansion
linuxRemove or disable configurations using ${sort } expansion with user-controlled variables
Review Exim configuration files for ${sort } usage
Comment out or remove vulnerable configurations
🧯 If You Can't Patch
- Implement strict network controls to limit access to Exim service
- Monitor for exploitation attempts and unusual process activity
🔍 How to Verify
Check if Vulnerable:
Check Exim version with: exim -bV | grep version
If version is between 4.85 and 4.92 inclusive, check configuration for ${sort } usage with $local_part or $domain variables.Check Version:
exim -bV | grep versionVerify Fix Applied:
Verify Exim version is 4.92.1 or later: exim -bV | grep version
Ensure no vulnerable ${sort } configurations remain.📡 Detection & Monitoring
Log Indicators:
- Unusual ${sort } expansion in Exim logs
- Unexpected command execution in system logs
- Failed authentication attempts followed by sort operations
Network Indicators:
- Unusual SMTP traffic patterns
- Exploit payloads in network traffic
SIEM Query:
source="exim.log" AND "${sort"🔗 References
- http://exim.org/static/doc/security/CVE-2019-13917.txt
- http://www.openwall.com/lists/oss-security/2019/07/26/5
- https://seclists.org/bugtraq/2019/Jul/51
- https://security.gentoo.org/glsa/201909-06
- https://www.debian.org/security/2019/dsa-4488
- http://exim.org/static/doc/security/CVE-2019-13917.txt
- http://www.openwall.com/lists/oss-security/2019/07/26/5
- https://seclists.org/bugtraq/2019/Jul/51
- https://security.gentoo.org/glsa/201909-06
- https://www.debian.org/security/2019/dsa-4488
