Threat Hunt Deep Dives: The Return of the WIZard

Last year, during a routine code review, Qualys discovered a Remote Command Execution (RCE) vulnerability in the Exim Mail Transfer Agent (MTA) mail server. The vulnerability has been dubbed "The Return of the WIZard" and is listed under CVE-2019-10149. The RCE vulnerability exists in Exim mail server versions 4.87 to 4.91 (inclusive). When exploited the vulnerability allows an attacker to execute arbitrary commands with root privileges.

The Exim mail server is ubiquitous on the internet. More than 50% of public-facing mail servers run Exim MTA and over 500,000 Exim mail servers exist on the internet. The severity of the vulnerability, coupled with its large presence on the internet makes the potential impact of this exploit quite extreme. While this exploit was patched over a year ago, many public-facing Exim mail servers are still vulnerable. The vulnerability has been utilized as recent as October 2020 by the Russian state-sponsored threat actor known as Berserk Bear.

Check out Cyborg Security's Threat Hunt Deep Dives Ep. 1: Return of the WIZard - Exim MTA RCE (CVE-2019-10149) to learn more about this vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2019-10149

https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt

https://www.scythe.io/library/threatthursday-bersek-bearhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a