cbcvebase.
CVE-2010-4345
published 2010-12-14

CVE-2010-4345: Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with…

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
17.79%
96.8th percentile
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.

Affected

11 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianexim4< exim4 4.72-3 (bookworm)exim4 4.72-3 (bookworm)
eximexim<= 4.72
opensuseopensuse
opensuseopensuse
opensuseopensuse

Detection & IOCsextracted from sources · hover to see the quote

commandexim -C#{temp_conf} -q
commandperl -e 'print pack qq{H*},shift'
  • Monitor for Exim process invoked with the -C flag (alternate config file) running as root or the exim/Debian-exim user — this is the core exploitation primitive for CVE-2010-4345.
  • Alert on Exim spawning a Perl interpreter child process, especially when Perl is used to write and execute a payload script in a temp directory — indicative of the two-stage privilege escalation chain.
  • Detect use of the spool_directory directive in non-standard/alternate Exim config files, which is the demonstrated method for embedding arbitrary commands.
  • Audit the /etc/exim4/trusted_configs file and flag any config files not owned by root that are being passed via -C, as post-patch bypass attempts may target this mechanism.
  • CVE-2010-4345 was chained with CVE-2010-4344 (heap overflow in string_vformat) in real-world attacks; detection of the heap overflow exploit (oversized SMTP message triggering rejection logging) should also trigger investigation for the local privilege escalation follow-on.
  • ·After patching, Exim no longer runs alternate config files specified with -C as root by default. Legitimate use of -C for root-privileged operations now requires the target config file to be listed in /etc/exim4/trusted_configs AND owned by root.
  • ·The -D option (macro definitions) also no longer runs as root post-patch; macro definitions requiring root privileges must be moved into trusted configuration files.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.