CVE-2019-15846
published 2019-09-27CVE-2019-15846: Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat…
PriorityP194critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
35.74%
98.3th percentile
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | exim4 | < exim4 4.92.1-3 (bookworm) | exim4 4.92.1-3 (bookworm) |
| debian | exim4 | < exim4 4.92.2-3 (bookworm) | exim4 4.92.2-3 (bookworm) |
| exim | exim | < 4.92.2 | 4.92.2 |
| exim | exim | 4.92 – 4.92.2 | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2019-15846 is exploitable via a trailing backslash in SMTP input, triggering an out-of-bounds access in string_interpret_escape() in the Exim SMTP delivery process ↗
- →The vulnerable function is string_interpret_escape(); monitor Exim SMTP sessions for malformed escape sequences (trailing backslash) in input strings ↗
- →The vulnerability affects Exim versions prior to 4.92.2; identify exposed Exim instances via banner grabbing or Shodan-style scanning and flag any version below 4.92.2 ↗
- ·Red Hat Enterprise Linux 5 ships a vulnerable version of Exim but the flaw is not exposed to untrusted inputs in that configuration, so remote code execution is not achievable on RHEL 5 ↗
- ·Exim is not shipped with Red Hat Enterprise Linux 6, 7, or 8, so those platforms are not affected ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f368-8x8g-4m4v: Exim before 4
ghsa_unreviewed·2022-05-24
CVE-2019-15846 [CRITICAL] GHSA-f368-8x8g-4m4v: Exim before 4
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
GHSA
GHSA-xg2f-gj2p-r7xq: Exim 4
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-16928 [CRITICAL] CWE-120 GHSA-xg2f-gj2p-r7xq: Exim 4
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
OSV
CVE-2019-16928: Exim 4
osv·2019-09-27·CVSS 9.8
CVE-2019-16928 [CRITICAL] CVE-2019-16928: Exim 4
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
OSV
CVE-2019-15846: Exim before 4
osv·2019-09-06·CVSS 9.8
CVE-2019-15846 [CRITICAL] CVE-2019-15846: Exim before 4
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
VulnCheck
Exim before 4.92.2 Trailing Backslash Remote Code Execution
vulncheck·2019·CVSS 9.8
CVE-2019-15846 [CRITICAL] Exim before 4.92.2 Trailing Backslash Remote Code Execution
Exim before 4.92.2 Trailing Backslash Remote Code Execution
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
Affected: Exim Exim
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://go.recordedfuture.com/hubfs/reports/cta-2024-0208.pdf
Exploit PoC: https://vulncheck.com/xdb/86b74ec0b207
Red Hat
exim: remotely triggerable buffer overflow in string_vformat()
vendor_redhat·2019-09-27·CVSS 9.8
CVE-2019-16928 [CRITICAL] CWE-131 exim: remotely triggerable buffer overflow in string_vformat()
exim: remotely triggerable buffer overflow in string_vformat()
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
A heap-based buffer overflow flaw was found in Exim. The overflow can be triggered via specially crafted SMTP-protocol EHLO message, which may lead to unauthenticated remote code execution. It is thought that the execution of the remote code would be at the exim user level although execution as the root user cannot be ruled out.
Statement: This issue did not affect Red Hat Enterprise Linux 5 as the exim package did not contain the vulnerable code in any of our supported products.
Package: exim (Red Hat Enterprise Linux 5) - No
Ubuntu
Exim vulnerability
vendor_ubuntu·2019-09-16
CVE-2019-15846 Exim vulnerability
Title: Exim vulnerability
Summary: Exim could be made to run programs as an administrator if it received
specially crafted network traffic.
USN-4124-1 fixed a vulnerability in Exim. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that Exim incorrectly handled certain decoding
operations. A remote attacker could possibly use this issue to execute
arbitrary commands.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process
vendor_redhat·2019-09-06·CVSS 9.8
CVE-2019-15846 [CRITICAL] CWE-119 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process
exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
An out-of-bounds write flaw was found in exim. The function fails to correctly handle situations when a backslash is the last character of the input string and incorrectly sets the pointer that is supposed to point to the last character of the escape sequence upon function exit. That leads to out-of-bounds read when the caller attempts to process the input string following the escape sequence. Additionally, this may lead to out-of-bounds write when unescaped string is written (to the same or different buffer).
Statement: The flaw in the string_interpret_escape() function exis
Ubuntu
Exim vulnerability
vendor_ubuntu·2019-09-06
CVE-2019-15846 Exim vulnerability
Title: Exim vulnerability
Summary: Exim could be made to run programs as an administrator if it received
specially crafted network traffic.
It was discovered that Exim incorrectly handled certain decoding
operations. A remote attacker could possibly use this issue to execute
arbitrary commands.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2019-15846: exim4 - Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via...
vendor_debian·2019·CVSS 9.8
CVE-2019-15846 [CRITICAL] CVE-2019-15846: exim4 - Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via...
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
Scope: local
bookworm: resolved (fixed in 4.92.1-3)
bullseye: resolved (fixed in 4.92.1-3)
forky: resolved (fixed in 4.92.1-3)
sid: resolved (fixed in 4.92.1-3)
trixie: resolved (fixed in 4.92.1-3)
Debian
CVE-2019-16928: exim4 - Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability...
vendor_debian·2019·CVSS 9.8
CVE-2019-16928 [CRITICAL] CVE-2019-16928: exim4 - Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability...
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
Scope: local
bookworm: resolved (fixed in 4.92.2-3)
bullseye: resolved (fixed in 4.92.2-3)
forky: resolved (fixed in 4.92.2-3)
sid: resolved (fixed in 4.92.2-3)
trixie: resolved (fixed in 4.92.2-3)
Suricata
ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846) M2
suricata·2019-09-06·CVSS 9.8
CVE-2019-15846 [CRITICAL] ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846) M2
ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846) M2
Rule: alert tls any any -> any any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846) M2"; flow:established,to_server; tls.sni; content:"|5c 00|"; fast_pattern; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_06, cve CVE_2019_15846, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_01;)
Suricata
ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)
suricata·2019-09-06·CVSS 9.8
CVE-2019-15846 [CRITICAL] ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)
ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)
Rule: alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; within:1; content:"|5c 00|"; fast_pattern; distance:0; pcre:"/[\x20-\x7e]{5,}\x5c\x00[\x20-\x7e]{5,}/"; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027959; rev:2; metadata:created_at 2019_09_06, cve CVE_2019_15846, performance_impact Significant, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_09_10;)
No public exploits indexed.
Tenable
How COVID-19 Response Is Expanding the Cyberattack Surface
blogs_tenable·2020-03-30
How COVID-19 Response Is Expanding the Cyberattack Surface
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2019-16928: Critical Buffer Overflow Flaw in Exim is Remotely Exploitable
blogs_tenable·2019-09-30·CVSS 9.8
[CRITICAL] CVE-2019-16928: Critical Buffer Overflow Flaw in Exim is Remotely Exploitable
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
9th September – Threat Intelligence Bulletin
blogs_checkpoint·2019-09-09
CVE-2019-0708 9th September – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 9th September – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 9th September 2019, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Attackers have convinced the CEO of an energy company to send $243,000 to a fake supplier using AI to create a deep fake voice impersonation of a chief executive.
“Joker”, an Android spyware first spotted in June 2019, has been found on 24 different applications on Google Play store. Designed to steal SMS messag
Tenable
CVE-2019-15846: Unauthenticated Remote Command Execution Flaw Disclosed for Exim
blogs_tenable·2019-09-06·CVSS 9.8
[CRITICAL] CVE-2019-15846: Unauthenticated Remote Command Execution Flaw Disclosed for Exim
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process [fedora-all]
bugzilla·2019-09-06·CVSS 9.8
CVE-2019-15846 [CRITICAL] CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process [fedora-all]
CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process [fedora-all]
Description of problem:
Root-Exploit in Exim Mailserver.
Version-Release number of selected component (if applicable):
)
Discussion:
FEDORA-2019-1ed7bbb09c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1ed7bbb09c
---
FEDORA-2019-467fcbb10a has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-467fcbb10a
---
FEDORA-2019-ae361e20c2 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ae361e20c2
---
I think it's resolved, dropping needinfo.
---
exim-4.92.2-1.fc30 has been pushed to the Fedora 30 stable
Bugzilla
CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process [epel-all]
bugzilla·2019-09-06·CVSS 9.8
CVE-2019-15846 [CRITICAL] CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process [epel-all]
CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit mess
Bugzilla
CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process
bugzilla·2019-09-03·CVSS 9.8
CVE-2019-15846 [CRITICAL] CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process
CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process
Quoting form the pre-release of the Exim project security advisory:
The SMTP Delivery process in all versions up to and including Exim 4.92.1 has a Buffer Overflow. In the default runtime configuration, this is exploitable with crafted Server Name Indication (SNI) data during a TLS negotiation. In other configurations, it is exploitable with a crafted client TLS certificate.
Discussion:
Acknowledgments:
Name: the Exim project
Upstream: Zerons, Qualys
---
This issue is getting fixed in the upstream version 4.92.2.
---
The issue here is in the Exim's internal function string_interpret_escape():
https://git.exim.org/exim.git/blob/cf84d126bc:/src/src/string.c
http://www.openwall.com/lists/oss-security/2019/09/28/1http://www.openwall.com/lists/oss-security/2019/09/28/2http://www.openwall.com/lists/oss-security/2019/09/28/3http://www.openwall.com/lists/oss-security/2019/09/28/4https://bugs.exim.org/show_bug.cgi?id=2449https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65fhttps://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/https://seclists.org/bugtraq/2019/Sep/60https://security.gentoo.org/glsa/202003-47https://usn.ubuntu.com/4141-1/https://www.debian.org/security/2019/dsa-4536http://www.openwall.com/lists/oss-security/2019/09/28/1http://www.openwall.com/lists/oss-security/2019/09/28/2http://www.openwall.com/lists/oss-security/2019/09/28/3http://www.openwall.com/lists/oss-security/2019/09/28/4https://bugs.exim.org/show_bug.cgi?id=2449https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65fhttps://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UY6HPRW7MR3KBQ5JFHH6OXM7YCZBJCOB/https://seclists.org/bugtraq/2019/Sep/60https://security.gentoo.org/glsa/202003-47https://usn.ubuntu.com/4141-1/https://www.debian.org/security/2019/dsa-4536https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16928
2019-09-27
Published
Exploited in the wild