Page tree
Skip to end of metadata
Go to start of metadata

RESOLVED  


Background Information 

On Monday, July 22, 2019, Exim maintainers announced that they had discovered a vulnerability in Exim from version 4.85 to version 4.92.

On Thursday, July 25, 2019, the Exim maintainers released a patch for this vulnerability


Impact

According to Exim development: " A local or remote attacker can execute programs with root  privileges - if you've an unusual configuration.
If your configuration uses the ${sort } expansion for items that can be controlled by an attacker (e.g. $local_part, $domain). The default config, as shipped by the Exim developers, does not contain ${sort }.
"

After analyzing the details of the vulnerability, standard Exim configurations provided by cPanel & WHM are not expected to be vulnerable. However, customized configurations may be vulnerable.

Releases

The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM below the stated versions are potentially vulnerable to a root RCE in non-default configurations.

TIERVERSION
7878.0.35
8080.0.23
8282.0.5
EDGE82.0.5
CURRENT82.0.5
RELEASE80.0.23
STABLE80.0.23


How to determine if your server is up to date

The updated RPMs provided by cPanel should be at least 4.92-2 on versions 80 and above.

rpm -q exim


Version 78

exim-4.92-4.cp1178.x86_64

Versions 80, 82

exim-4.92-2.cp1180.x86_64

What to do if you are not up to date.

If your server is not running one of the above versions, update immediately. 

To upgrade your server, use WHM's interface (WHM >> Home >> cPanel >> Upgrade to Latest Version).

Alternatively, you can run the commands below to upgrade your server from the command line:

/scripts/upcp
/scripts/check_cpanel_rpms --fix --long-list


Verify the new Exim RPM was installed:

In versions 78, 80, and 82 run the following:

rpm -q --changelog exim | grep CVE-2019-13917

The output should resemble below:

- Applied upstream patch for CVE-2019-13917


If you are still experiencing issues or need additional help, please contact 
cPanel support.

  • No labels