The popular mail server software has an off-by-one buffer overflow that can be exploited to run arbitrary code.
- A critical vulnerability in Exim allows attackers to remotely run arbitrary code without authentication.
- The vulnerability has been patched in version 4.90.1.
A critical vulnerability has been discovered in Exim, a widely deployed mail transfer agent. With a specifically crafted mail message, an attacker can exploit an off-by-one buffer overflow due to mishandling of base64 authentication.
Because of the nature of the vulnerability, particularly relating to how SMTP transactions are conducted, it is possible for attackers to exploit remotely without authentication.
According to Meh Chang, a researcher at Taiwanese security firm DEVCORE who discovered the vulnerability, “exim allocates a buffer of 3*(len/4)+1 bytes to store decoded base64 data. However, when the input is not a valid base64 string and the length is 4n+3, exim allocates 3n+1 but consumes 3n+2 bytes while decoding. This causes one byte heap overflow (aka off-by-one).” This can be leveraged by attackers to run arbitrary code or as part of a denial of service attack.
The vulnerability, which has been assigned the identifier CVE-2018-6789, is present in all versions of Exim prior to 4.90.1, which was released to patch this issue.
According to a research report published this month by SecuritySpace, 556,000 identifiable mail servers ran Exim. A search for Exim instances on Shodan shows just short of 4.5 million instances are running. For comparison, Postfix is the second most popular at 330,000 instances, with other solutions not coming close to that number. Exim is also used as a component of the GNU Mailman mailing list manager, and as the default mail handler for cPanel-powered shared hosting configurations.
While Chang only provided a public writeup of the vulnerability on March 6th, he first contacted Exim on February 5th, and package maintainers for Linux distributions were granted early access to the code to deploy patches on February 8th. As patches have been distributed for roughly one month, regular patching of servers would have addressed the vulnerability already. Of note, patches for this vulnerability in Debian are available in Stretch as 4.89-2+deb9u3, and in Jessie as 4.84.2-2+deb8u5.
Presently, there is no proof of concept exploit code available, though Exim developer Heiko Schlittermann indicates that the developers believe that real-world exploitation is difficult.
The same researcher discovered two other vulnerabilities in Exim last year, which also can be exploited by attackers without authentication. The vulnerabilities include CVE-2017-16943, a use-after-free vulnerability which enables remote code execution, and a Denial-of-Service vulnerability in CVE-2017-16944. These vulnerabilities were patched in Exim 4.90.