Sid 1-53378

Report a false positive

Rule Category

SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.

Alert Message

SERVER-OTHER Exim unauthenticated remote code execution attempt

Rule Explanation

The rule alerts when TLS `client hello` packet contains `server_name` SNI extension with trailing backslash `\\x00`

What To Look For

The rule alerts when TLS `client hello` packet contains `server_name` SNI extension with trailing backslash `\\x00`

Known Usage

Public information/Proof of Concept available

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Initial Access

Technique: Exploit Public-Facing Application

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

CVE-2019-15846

Additional Links

exim.org/static/doc/security/CVE-2019-15846.txt

Rule Vulnerability

CVE Additional Information

CVE-2019-15846
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
Details
Severity Base Score9.8
Impact Score5.9 Exploit Score3.9
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Attack VectorNETWORK
ScopeUNCHANGED User InteractionNONE
Authentication Ease of AccessLOW
Privileges RequiredNONE

Affected Systems