BLOG: 12 Vulnerabilities of Christmas – CVE-2019-10149
Although the latest vulnerability in our series had a CVSS of 9.8 rather than the 10.0 maximum, the ability to use it for remote code execution and its widespread exploitation by threat actors have contributed to the risk it poses.
CVE-2019-10149 is a severe vulnerability affecting Exim, a mail transfer agent (MTA) used by over half of the email servers worldwide. The vulnerability would allow attackers to achieve remote command execution (RCE) by including a malicious payload in the SMTP dialog of an email sent to the server, which executes a Shell script upon reception and adds a public SSH key to the root account, allowing the attackers to compromise the host. Attackers with root access would then be able to ingress tools and post-exploitation frameworks, create new accounts with root privileges, and move laterally.
Afterhe vulnerability was disclosed in May 2019 by security researchers, the Exim team revealed that it had already patched it in Exim 4.92, which had been released the previous month.. [OF1] A Metasploit module was released on 23 August 2019, with PoCs being published as early as 18 June 2019. Similarly to several vulnerabilities examined in previous parts of this blog series, the earliest signs of exploitation of this vulnerability in the wild were detected as being conducted by cybercriminals for crypto-mining purposes, further indicating that opportunistic threat actors looking to make a rapid profit are usually the first to exploit such vulnerabilities.
Due to the nature of the assets being impacted, this vulnerability has been of major interest to threat actors for intelligence collection purposes. An NSA advisory on 28 May 2020 disclosed that Russian APT Sandworm had been observed exploiting the vulnerability since at least August 2019, which the agency has since outed as a GRU outfit. CISA subsequently published a report on 22 October 2020 detailing how Russian group Berserk Bear had been exploiting the vulnerability to target US government entities, higher education and aviation organisations like airports and airlines.
Shodan data indicates that there are still 271,545 servers worldwide that remain vulnerable to CVE-2019-10149, with 183,557 located in the United States and 10,409 located in the United Kingdom. This indicates that the vulnerability will continue to be exploited by sophisticated threat actors, as organisations have failed to patch their vulnerable mail servers.
Figure 1: Hosts around the globe that are still vulnerable to CVE-2019-10149
Due to the ease of exploit, continued exploitation in the wild and severity of the vulnerability, Orpheus has attributed CVE-2019-10149 with a maximal OVS score of 100/100. In light of the vulnerability’s OVS score and evidence of present exploitation by nation states, we strongly recommend that organisations apply the following mitigation advice:
Upgrade Exim to version 4.92 and above
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.
