SOLVED Where is exim version information stored?

[jackburton]

Hello,

I was asked to find out why one of our cPanel servers is showing the wrong Exim version in WHM -> Service Status. That page reports 4.89-3, but every other indication clearly shows 4.89.1-1.

root@cp20 ~ # exim --version |head -1
Exim version 4.89_1 #1 built 29-Nov-2017 18:47:20
2018-01-25 14:20:57 cwd=/root 2 args: exim --version

root@cp20 ~ # rpm -qa |grep exim
exim-4.89.1-1.cp1162.x86_64

(tail end of 'yum list exim')
Installed Packages
exim.x86_64                                                                             4.89.1-1.cp1162                                                                              installed

root@cp20 ~ # /scripts/check_cpanel_rpms
root@cp20 ~ #

root@cp20 ~ # grep exim /var/cpanel/rpm.versions.d/local.versions
root@cp20 ~ #

I've used grep on all of /var, /usr, /etc, and /scripts and am not seeing where the presumably cached version is being pulled from. 4.89-3 was never installed on here but that version is being stored somewhere. Not even running strace on cpsrvd is yielding any useful results, but there is a ton of data before that version is referenced (that I may have missed), and clearly shows the wrong version.

<td>exim</td>\n        <td>4.89-3</td>\n        <td>up</td>\n

Checking other servers using 68.0 (build 27) show the correct version. Reinstalling Exim, forcing upcp, and disabling/enabling monitoring didn't do anything either.

Can you let me know where Service Status is fetching the Exim version from?

 

[cPanelMichael]

Hello,

The following command should output the version of Exim installed on your system:

whmapi1 installed_versions packages=1|grep exim

[Moderator Note: Removed reference to cache directory that's no longer applicable]

Thank you.

 

[jackburton]

Hi Michael,

Thank you very much for your prompt response. That was indeed the problem.

root@cp20 ~ # whmapi1 installed_versions packages=1|grep exim
  exim: 4.89-3
    - exim-4.89-3.cp1162.x86_64

Moved the _bin_rpm* out of the way and Service Status is showing the correct data now.

Thank you again!

 

[cPanelMichael]

Hello Everyone,

We've noticed a recent increase in requests for information about how to determine the version of Exim installed on cPanel & WHM servers after the recent announcement from Exim maintainers regarding CVE-2019-15846.

Additionally, we've seen requests for information about reports from third-party security companies regarding cPanel & WHM servers that have already been patched to have the correct version of Exim. An example of this is quoted below:

It has come to our attention that the IPs of your network presented to us logs below have a vulnerable version of Exim. Exim Versions earlier than 4.92.2 allow a remote attacker to execute code with root privileges and thus gain unrestricted access to the root system.

In some cases, reports like this are false positives due to Exim not advertising the build number in its response to outside connections. The best way to determine if reports like the one quoted above are false positives is to access your cPanel & WHM server via the command line and run the following command to look for the specific CVE report in the RPM change log. Here's an example of the command to use for CVE-2019-15846:

rpm -q --changelog exim | grep CVE-2019-15846

The output on LTS version 78, version 82, and the EDGE tier should resemble below on servers patched against this vulnerability:

# rpm -q --changelog exim | grep CVE-2019-15846
- Applied upstream patch for CVE-2019-15846

Additional information about this vulnerability is available on the document below:

CVE-2019-15846 Exim - cPanel Knowledge Base - cPanel Documentation

documentation.cpanel.net

For information on how to access the command line, see the document below:

How to Access the Command Line - cPanel Knowledge Base - cPanel Documentation

documentation.cpanel.net

Let us know of any questions.

Thank you.