CVE-2019-13917
published 2019-07-25CVE-2019-13917: Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can…
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.62%
94.4th percentile
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | exim4 | < exim4 4.92-10 (bookworm) | exim4 4.92-10 (bookworm) |
| exim | exim | 4.85 – 4.92 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable Exim versions are 4.85 through 4.92; flag any Exim process or banner reporting these versions as potentially exploitable under CVE-2019-13917. ↗
- →Inspect Exim configuration files for use of the '${sort }' expansion string — its presence in combination with attacker-controllable variables ($local_part, $domain) is the direct trigger for this RCE vulnerability. ↗
- →Note that the default Exim upstream configuration does NOT contain '${sort }'; only non-default/custom configurations are affected. Audit non-default configs specifically. ↗
- ·Exploitation requires a non-default Exim configuration that uses the '${sort }' expansion with attacker-controllable input (e.g., $local_part or $domain). Default Exim deployments are NOT affected. ↗
- ·Red Hat Enterprise Linux 5 ships Exim 4.63 and is not affected; only Exim 4.85–4.92 are vulnerable. ↗
- ·Mitigation (short of patching to 4.92.1+) is to remove any use of '${sort }' from the Exim configuration. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
exim: ${sort} in configuration leads to privilege escalation
vendor_redhat·2019-07-25·CVSS 9.8
CVE-2019-13917 [CRITICAL] CWE-20 exim: ${sort} in configuration leads to privilege escalation
exim: ${sort} in configuration leads to privilege escalation
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).
Statement: As per upstream, this exim security flaw only affects exim versions from 4.85 up to and including 4.92. Since Red Hat Enterprise Linux 5 ships exim-4.63, it is not affected by this flaw.
Mitigation: Do not use ${sort } in your exim configuration.
Package: exim (Red Hat Enterprise Linux 5) - Not affected
Ubuntu
Exim vulnerability
vendor_ubuntu·2019-07-25
CVE-2019-13917 Exim vulnerability
Title: Exim vulnerability
Summary: Exim could be made to run programs as an administrator if it received
specially crafted network traffic.
Jeremy Harris discovered that Exim incorrectly handled sort expansions. In
environments where sort expansions are used, a remote attacker could
possibly use this issue to execute arbitrary code as root.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2019-13917: exim4 - Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in...
vendor_debian·2019·CVSS 9.8
CVE-2019-13917 [CRITICAL] CVE-2019-13917: exim4 - Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in...
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).
Scope: local
bookworm: resolved (fixed in 4.92-10)
bullseye: resolved (fixed in 4.92-10)
forky: resolved (fixed in 4.92-10)
sid: resolved (fixed in 4.92-10)
trixie: resolved (fixed in 4.92-10)
GHSA
GHSA-w2fj-xv79-84gh: Exim 4
ghsa_unreviewed·2022-05-24
CVE-2019-13917 [CRITICAL] GHSA-w2fj-xv79-84gh: Exim 4
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).
OSV
CVE-2019-13917: Exim 4
osv·2019-07-25·CVSS 9.8
CVE-2019-13917 [CRITICAL] CVE-2019-13917: Exim 4
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-13917 exim: ${sort} in configuration leads to privilege escalation [fedora-all]
bugzilla·2019-07-26·CVSS 9.8
CVE-2019-13917 [CRITICAL] CVE-2019-13917 exim: ${sort} in configuration leads to privilege escalation [fedora-all]
CVE-2019-13917 exim: ${sort} in configuration leads to privilege escalation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple support
Bugzilla
CVE-2019-13917 exim: ${sort} in configuration leads to privilege escalation [epel-all]
bugzilla·2019-07-26·CVSS 9.8
CVE-2019-13917 [CRITICAL] CVE-2019-13917 exim: ${sort} in configuration leads to privilege escalation [epel-all]
CVE-2019-13917 exim: ${sort} in configuration leads to privilege escalation [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported v
Bugzilla
CVE-2019-13917 exim: ${sort} in configuration leads to privilege escalation
bugzilla·2019-07-19·CVSS 9.8
CVE-2019-13917 [CRITICAL] CVE-2019-13917 exim: ${sort} in configuration leads to privilege escalation
CVE-2019-13917 exim: ${sort} in configuration leads to privilege escalation
A flaw was found in exim, in which if the server configuration uses the ${sort } expansion, then this could be controlled by the remote attacker (e.g. $local_part, $domain), resulting in the attacker able to execute programs with root privileges.
Note: The default config, as shipped by exim upstream, does not contain ${sort }.
exim versions from 4.85 up to and including 4.92 are affected.
Discussion:
Acknowledgments:
Name: Jeremy Harris
---
Statement:
As per upstream, this exim security flaw only affects exim versions from 4.85 up to and including 4.92. Since Red Hat Enterprise Linux 5 ships exim-4.63, it is not affected by this flaw.
---
Mitigation:
Do not use ${sort } in your exim configuration.
---
http://exim.org/static/doc/security/CVE-2019-13917.txthttp://www.openwall.com/lists/oss-security/2019/07/26/5https://seclists.org/bugtraq/2019/Jul/51https://security.gentoo.org/glsa/201909-06https://www.debian.org/security/2019/dsa-4488http://exim.org/static/doc/security/CVE-2019-13917.txthttp://www.openwall.com/lists/oss-security/2019/07/26/5https://seclists.org/bugtraq/2019/Jul/51https://security.gentoo.org/glsa/201909-06https://www.debian.org/security/2019/dsa-4488
2019-07-25
Published