CVE-2019-10149 Exim


Last modified: September 28, 2020

Background Information

On Tuesday, June 4, 2019, Exim maintainers announced that they received a report of a potential remote exploit in Exim from version 4.87 to version 4.91.

On Wednesday, June 5, 2019, the Exim maintainers released a patch for these vulnerabilities .

Impact

According to Exim development: “We received a report of a possible remote exploit. Currently there is no evidence of an active use of this exploit. The severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. Exim 4.92 is not vulnerable.”

Releases

The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM below the stated versions are potentially vulnerable to a root RCE.

  • 70 — 70.0.69
  • 76 — 76.0.22
  • 78 — 78.0.27
  • 80 — Already on Exim version 4.92 which is not vulnerable
  • EDGE — Currently on version 80 which is not vulnerable
  • CURRENT — Currently on version 80 which is not vulnerable
  • RELEASE — Currently on version 80 which is not vulnerable
  • STABLE — 78.0.27

How to determine if your server is up to date

The updated RPMs provided by cPanel should be at least 4.91-4 on versions 70 and 76 and at least 4.92 on versions 78 and above.

rpm -q exim

The output should resemble below:

  • Versions 70 and 76 — exim-4.91-4.cp1170.x86_64

  • Version 78 — exim-4.92-1.cp1178.x86_64

  • Version 80 — exim-4.92-1.cp1180.x86_64

What to do if you are not up to date.

If your server is not running one of the above versions, update immediately.

To upgrade your server, use WHM’s Upgrade to Latest Version interface (WHM >> Home >> cPanel >> Upgrade to Latest Version).

Alternatively, you can run the commands below to upgrade your server from the command line:

1
2
/scripts/upcp
/scripts/check_cpanel_rpms --fix --long-list

If you are on version 76 you will need to update your /etc/cpupdate.conf to look like the following:

1
2
3
4
5
CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

After you complete this update (/usr/local/cpanel/scripts/upcp) set /etc/cpupdate.conf:

If you were on STABLE previously, set the following:

1
2
3
4
5
CPANEL=stable
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

If you were on RELEASE previously, set the following:

1
2
3
4
5
CPANEL=release
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

This will allow you to upgrade to newer versions of cPanel & WHM once you have migrated to EasyApache 4.

Verify the new Exim RPM was installed

In version 78 run the following:

rpm -q exim

The output should resemble below:

exim-4.92-1.cp1178.x86_64

In versions 70 and 76 run the following:

rpm -q --changelog exim | grep CVE-2019-10149

The output should resemble below:

- Patch for CVE-2019-10149

If you are still experiencing issues or need additional help, contact cPanel support.

Additional documentation

More detailed information can be found at the following websites:

Additional Documentation