Background Information
On Tuesday, June 4, 2019, Exim maintainers announced that they received a report of a potential remote exploit in Exim from version 4.87 to version 4.91.
On Wednesday, June 5, 2019, the Exim maintainers released a patch for these vulnerabilities .
Impact
According to Exim development: “We received a report of a possible remote exploit. Currently there is no evidence of an active use of this exploit. The severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. Exim 4.92 is not vulnerable.”
Releases
The following versions of cPanel & WHM were patched to have the correct version of Exim. All previous versions of cPanel & WHM below the stated versions are potentially vulnerable to a root RCE.
- 70 — 70.0.69
- 76 — 76.0.22
- 78 — 78.0.27
- 80 — Already on Exim version 4.92 which is not vulnerable
- EDGE — Currently on version 80 which is not vulnerable
- CURRENT — Currently on version 80 which is not vulnerable
- RELEASE — Currently on version 80 which is not vulnerable
- STABLE — 78.0.27
How to determine if your server is up to date
The updated RPMs provided by cPanel should be at least 4.91-4 on versions 70 and 76 and at least 4.92 on versions 78 and above.
rpm -q exim
The output should resemble below:
-
Versions 70 and 76 —
exim-4.91-4.cp1170.x86_64
-
Version 78 —
exim-4.92-1.cp1178.x86_64
-
Version 80 —
exim-4.92-1.cp1180.x86_64
What to do if you are not up to date.
If your server is not running one of the above versions, update immediately.
To upgrade your server, use WHM’s Upgrade to Latest Version interface (WHM >> Home >> cPanel >> Upgrade to Latest Version).
Alternatively, you can run the commands below to upgrade your server from the command line:
|
|
If you are on version 76 you will need to update your /etc/cpupdate.conf
to look like the following:
|
|
After you complete this update (/usr/local/cpanel/scripts/upcp
) set /etc/cpupdate.conf
:
If you were on STABLE previously, set the following:
|
|
If you were on RELEASE previously, set the following:
|
|
This will allow you to upgrade to newer versions of cPanel & WHM once you have migrated to EasyApache 4.
Verify the new Exim RPM was installed
In version 78 run the following:
rpm -q exim
The output should resemble below:
exim-4.92-1.cp1178.x86_64
In versions 70 and 76 run the following:
rpm -q --changelog exim | grep CVE-2019-10149
The output should resemble below:
- Patch for CVE-2019-10149
If you are still experiencing issues or need additional help, contact cPanel support.
Additional documentation
More detailed information can be found at the following websites:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10149
- https://seclists.org/oss-sec/2019/q2/152