This advisory is provided as a courtesy.
We would like to bring to your attention a newly discovered vulnerability affecting older versions of Exim, an SMTP server (MTA / mail transer agent) software widely used by popular control panels such as cPanel and DirectAdmin. The vulnerability affects Exim versions 4.87 (firest released on on 6 April 2016) through 4.91 (both versions inclusive).
The vulnerability allows a local attacker (for Exim using default configuration) or a remote attacker (for Exim using non-default configuration) to send a mail to a specially crafted email address on localhost to execute commands as root and perform malicious activities on the server.
Affected Software
Exim versions 4.87 through 4.91 (both versions inclusive)
How to Fix the Problem
If you are running cPanel or DirectAdmin control panel, please follow the instructions provided by the respective hosting control panels to update Exim to the latest version.
For cPanel, login to WHM control panel (e.g. https://your-server-hostname-or-ip:2087) and go to cPanel > Upgrade to Latest Version.
For DirectAdmin, use CustomBuild to update Exim to the latest version. More information can be found on DirectAdmin's documentation here.
If you are installing Exim manually, please refer to Exim documentation on how to upgrade Exim to the latest vesrion.
More information
CVE-2019-10149: Critical Remote Command Execution Vulnerability Discovered In Exim
CVE-2019-10149 Detail
[SingCERT] Critical Vulnerability (CVE-2019-10149) in Exim Mail Server
cPanel: Exim CVE-2019-10149, how to protect yourself
Request Assistance
If you are running Exim on your system and need our assistance to patch it up, we can perform the patch installation for you at a one-time discounted fee of $10. Please submit your order at Order -> Additional Services -> Vulnerability Fix - LINUX & WINDOWS: Linux Kernel "Use-After-Free", OpenSSL, GNU C Library, Poodle SSLV3, Stack Clash, Optionsbleed Vulnerability - $10.
Or please first open a support ticket and give us the hostname, IP address and OS template. You can find this information on your servelet's control panel.
For example:
Hostname: yourservelethostname
IP Address: 103.25.202.81
OS Template: CentOS 7.2
Thank you.