A Vulnerability in Exim Could Allow for Remote Command Execution

ITS Advisory Number: 
2019-104
Date(s) Issued: 
Tuesday, October 1, 2019
Subject: 
A Vulnerability in Exim Could Allow for Remote Command Execution
Overview: 

A vulnerability has been discovered in Exim, which could allow for unauthenticated remote attackers to execute arbitrary system commands on the mail server. Exim is a mail transfer agent used to deploy mail servers on Unix-like systems. Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

THREAT INTELLIGENCE:

The vulnerability is relatively easy to exploit; it's probable that attackers will be searching for and exploiting vulnerable versions of this software soon. Proof of Concept code can be found in the references below.

 

Systems Affected: 
  • Exim versions prior to 4.92.3

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

A vulnerability has been discovered in Exim, which could allow for unauthenticated remote attackers to execute arbitrary system commands by sending a large specially crafted Extended HELO (EHLO) string to the mail server.

 

This vulnerability exists due to a heap buffer overflow vulnerability within the string_vformat() function in string.c. This function does not account for the size of the input string and can therefore lead to a buffer overflow condition. This can lead the mail server process to crash and potentially allow for remote code execution.

 

Successful exploitation of this vulnerability will enable the attacker to perform command execution as root in the context of the mail server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch
  • After appropriate testing, immediately apply patches provided by Exim to vulnerable systems.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to open emails, download attachments, or follow links provided by unknown or untrusted sources.