Exim CVE-2019-10149 Vulnerability
A vulnerability was found in Exim up to 4.92 (Mail Server Software) and classified as critical. Affected by this issue is a part. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-269. Impacted is confidentiality, integrity, and availability.
The weakness was disclosed 06/03/2019 as CVE-2019-10149 Exim 4.87 to 4.91 as confirmed security advisory (Website). The advisory is shared for download at exim.org. The public release has been coordinated in cooperation with the vendor. This vulnerability is handled as CVE-2019-10149. The attack may be launched remotely. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 06/04/2019).
How to Protect Your cPanel Servers
The best way to protect yourself is to upgrade to a supported version of cPanel & WHM. All supported versions of cPanel & WHM are immune to the exploit. Version 80 was never vulnerable, as it included a newer (and non-vulnerable) version of Exim.
To confirm you are already running a patched version, you can run this command on the server:
rpm -q exim
The output will show you the Exim versions that are installed, and should look something like what’s below:
For Version 78: exim-4.92-1.cp1178.x86_64
For Version 80: exim-4.92-1.cp1180.x86_64
cPanel & WHM Version 76 Not Patched
cPanel & WHM Version 76 reached end of life in April of this year and was the last version to support EasyApache 3. Some hosting providers have not yet migrated to EasyApache 4, which means they are prevented from upgrading beyond Version 76. If you are using EasyApache 3, you are not only vulnerable to this exploit, but also dozens of exploits that exist in the now end-of-life versions of Apache and PHP used by EasyApache 3.
If you are concerned about migrating to EasyApache 4, you shouldn’t be! Migrating to EasyApache 4 is easy! Our technical department will help the migration from EasyApache 3 to EasyApache 4.