Remote root code execution vulnerability in Exim MTA
Official exim.org summary : https://www.exim.org/static/doc/security/CVE-2019-15846.txt
Initial alert to mailing lists : https://www.openwall.com/lists/oss-security/2019/09/04/1
The Register analysis : https://www.theregister.co.uk/2019/09/06/exim_vulnerability_patch/
An attacker (local or remote) can execute arbitrary code with root privileges, possibly leading to compromise of system/data integrity, confidentiality, and/or availability.
The popular open-source MTA (mail transfer agent) Exim has a severe vulnerability (which is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake.)
Although there has not yet been a CVSS score assigned, this is as bad as vulnerabilities get. While we have not yet received reports of this vulnerability being exploited in the wild, public proof-of-concept code exists so it is only a short matter of time until we see widespread exploitation of this vulnerability.
CERT.be recommends to system administrators to patch your systems immediately if they are running Exim.
Additional technical details are available in the Exim GitHub repository here.