CVE-2019-15846 Exim "A local or remote attacker can execute programs with root privileges."

lorio

Well-Known Member
Feb 25, 2004
298
14
168
Visit site
cPanel Access Level
Root Administrator

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,862
2,216
363
cPanel Access Level
DataCenter Provider
Twitter
  • Like
Reactions: bala_digital92

wanico

Member
Feb 27, 2012
10
0
51
cPanel Access Level
Root Administrator
Hi cPanel,

CVE-2019-15846

What is the workaround patch for this vulnerability and when can we expect a patched Exim release via the upgrade channels?
I believe the release date is today.
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,339
98
28
cPanel Access Level
Root Administrator
From a terminal window, if I run the following
Code:
exim --version |head -1
The results would indicate that I'm already running 4.92 #2, and have been since March this year.

"Exim version 4.92 #2 built 17-Mar-2019 12:58:50"



Although WHM service status does say 4.92-1 ???

and

Code:
[email protected] [~]# whmapi1 installed_versions packages=1|grep exim
  exim: 4.92-1
    - exim-4.92-1.cp1180.x86_64
 
Last edited:

andyf

Well-Known Member
Jan 7, 2002
249
0
316
UK
From a terminal window, if I run the following
Code:
exim --version |head -1
The results would indicate that I'm already running 4.92 #2, and have been since March this year.

"Exim version 4.92 #2 built 17-Mar-2019 12:58:50"



Although WHM service status does say 4.92-1 ???

and

Code:
[email protected] [~]# whmapi1 installed_versions packages=1|grep exim
  exim: 4.92-1
    - exim-4.92-1.cp1180.x86_64
You're confusing cpanel's own -1 or -2 revision with the exim minor point release of .1 or .2
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,862
2,216
363
cPanel Access Level
DataCenter Provider
Twitter
Hello Everyone,

As of Friday, September 6, 2019, Exim has published a fix for CVE-2019-15846 and cPanel & WHM version 82.0.14 was published with a version of Exim that includes the fix.

We'll continue to provide updates on this report at the link below:


Let me know of any questions.

Thanks!

Edit 1: cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.
 
Last edited:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,862
2,216
363
cPanel Access Level
DataCenter Provider
Twitter
@andyf, Tentatively looking at early next week for the rollout of this patch to the additional supported release tiers. In the meantime, you could use WHM >> Update Preferences to switch over to the CURRENT release tier:


You can find additional discussion of this topic on our Slack channel:


Thank you.

Edit 1: cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.
 
Last edited:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,862
2,216
363
cPanel Access Level
DataCenter Provider
Twitter
Hello Everyone,

To update, cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.

Thank you.
 

parsley93

Registered
Sep 9, 2019
2
0
1
Poland
cPanel Access Level
Root Administrator
Hello everyone.

I've got couple servers with CloudLinux release 7.6 with version 11.70.0.69 and version of exim - exim-4.91-4.cp1170.x86_64

There is a posibility to upgrade exim to version 4.92.2 without upgrade version of cpanel and server to avoid vulnerability of exim in CVE-2019-15846 ?

I tried to update via yum update exim but i didn't work.

Anyone got this problem ? And how can I solve this problem?
 

Babene7

Member
Apr 13, 2017
17
2
3
Uruguay
cPanel Access Level
Root Administrator
I don't think that's possible, the LTS patch only goes back to version 78.

You should update those servers to the latest cPanel version. Why do you keep them outdated?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,862
2,216
363
cPanel Access Level
DataCenter Provider
Twitter
I've got couple servers with CloudLinux release 7.6 with version 11.70.0.69 and version of exim - exim-4.91-4.cp1170.x86_64

There is a posibility to upgrade exim to version 4.92.2 without upgrade version of cpanel and server to avoid vulnerability of exim in CVE-2019-15846 ?
All versions of cPanel & WHM below the stated versions under the Releases section on the KB article are not patched for CVE-2019-15846.

cPanel & WHM version 70 is at end-of-life status so you should upgrade to a supported version as soon as possible to ensure your server is patched for this vulnerability:


Thank you.
 

parsley93

Registered
Sep 9, 2019
2
0
1
Poland
cPanel Access Level
Root Administrator
I don't think that's possible, the LTS patch only goes back to version 78.

You should update those servers to the latest cPanel version. Why do you keep them outdated?
I've got old version of WHMCS which is quite incompatible with 78 and 80 version of Cpanel. Second reason - costs - unfortunately employer is reluctant to upgrade, which is annoying. and these servers are badly neglected - so I try to do what I can.
 
Last edited:

oldie

Registered
Sep 11, 2019
3
0
1
Australia
cPanel Access Level
Website Owner
I've got old version of WHMCS which is quite incompatible with 78 and 80 version of Cpanel. Second reason - costs - unfortunately employer is reluctant to upgrade, which is annoying. and these servers are badly neglected - so I try to do what I can.
I feel your pain.

from http://exim.org/static/doc/security/CVE-2019-15846.txt :

*****
Mitigation
==========

Do not offer TLS. (This mitigation is not recommended.)

For a attacking TLS client the following ACL snippet should work:

# to be prepended to your mail acl (the ACL referenced
# by the acl_smtp_mail main config option)
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
*****

So it appears you can mitigate by not offering TLS on exim [easy to do via WHM] and or by adding the two ACL snippet deny commands listed above - it looks like its possible in WHM but not entirely sure or which section to do it in.

delete.png
 
Last edited:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,862
2,216
363
cPanel Access Level
DataCenter Provider
Twitter
So it appears you can mitigate by not offering TLS on exim [easy to do via WHM] and or by adding the two ACL snippet deny commands listed above - it looks like its possible in WHM but not entirely sure or which section to do it in.
Hello @oldie,

While I understand the manual mitigation step is referenced by Exim on the link you provided, it's important to understand this workaround is not tested or supported by cPanel & WHM. Editing a server's Exim configuration with those changes could potentially lead to email deliverability issues. Furthermore, the referenced workaround is not confirmed to mitigate the reported vulnerability.

The safest approach here is to upgrade cPanel & WHM to a supported version, or work with us to help troubleshoot any technical issues that are preventing you from upgrading to a supported cPanel & WHM version.

Thank you.
 

oldie

Registered
Sep 11, 2019
3
0
1
Australia
cPanel Access Level
Website Owner
Hello @oldie,

The safest approach here is to upgrade cPanel & WHM to a supported version, or work with us to help troubleshoot any technical issues that are preventing you from upgrading to a supported cPanel & WHM version.

Thank you.
Unfortunately working with legacy app with legacy php so unless cPanel get generous and backport exim port for WHM 76 then have to look for other options/workarounds.