DESCRIPTION:
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Linux systems connected to the Internet.
The vulnerability (CVE-2019-10149) is due to improper validation of recipient address in deliver_message() function in /src/deliver.c. Successful exploitation could lead to a full compromise of the Exim mail server, allowing an attacker to perform malicious activity through the mail server.
AFFECTED RELEASES:
Exim versions 4.87 to 4.91.
SOLUTION:
1. Please confirm the current version by entering "exim -bV " command.
2. The affected users are recommended to upgrade to version 4.92 at least. Please download the software at https://downloads.exim.org/exim4/.
REFERENCE:
1. https://www.exim.org/static/doc/security/CVE-2019-10149.txt
2. https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
3. https://nvd.nist.gov/vuln/detail/CVE-2019-10149
4. https://ithome.com.tw/news/131270