Critical Exim Flaw Opens Servers to Remote Code Execution

exim critical flaw

A fix has been issued for a critical Exim flaw that could lead to servers crashing or remote code execution attacks being launched.

A patch has been issued for a critical flaw in the Exim email server software, which could potentially open Exim-based servers up to denial of service or remote code execution attacks.

Exim, which is free software used on Unix-like operating systems (including Linux or Mac OSX), serves as a mail transfer agent that manages mail routing services for organizations. According to a Shodan analysis, Exim is the most used mail transfer agent globally and has over five million internet-facing hosts.

This specific flaw (CVE-2019-16928) is a heap-based overflow vulnerability. A buffer overflow is a type of flaw where a buffer (a region in physical memory storage used to temporarily store data while it is being moved) that can be overwritten is allocated in the heap portion of memory (a region of process’s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This specific flaw could enable bad actors to either crash servers – and also, as an Exim advisory said, “remote code execution seems to be possible.”

According to Exim, the flaw exists in the string “_vformat”, which is part of the file (string.c) of the component EHLO Command Handler. An EHLO command is an Extended Simple Mail Transfer Protocol (ESMTP) command sent by an email server to identify itself when connecting to another email server to start the process of sending an email.

“The currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message.” according to a Friday advisory. “While at this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist.”

According to VuldDB, it is possible to exploit the vulnerability remotely. There are known technical details, but no exploit is available, according to the site. Threatpost has reached out to Exim for further details about when the vulnerability was discovered and disclosed.

The flaw impacts Exim versions between 4.92 up to 4.92.2. A fix has been issued in the version 4.92.3. No other mitigations exist other than updating the server, according to Exim’s advisory.

“If you can’t install the above versions, ask your package maintainer for a version containing the backported fix,” advised Exim. “On request and depending on our resources we will support [customers] in backporting the fix.”

It’s the second critical Exim vulnerability to be patched this month – earlier in September, researchers urged users to upgrade their Exim servers immediately after millions of servers were found to be vulnerable to a critical flaw that could allow a remote, unauthenticated attacker to take full control of them. Another vulnerability in June was exploited in a widespread campaign to gain remote command-execution on victims’ Linux systems. Researchers said that for this flaw (CVE-2019-10149) currently more than 3.5 million servers were at risk from the attacks, which used a wormable exploit.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.