For the second time in less than a month, organizations running the Exim mail server have a new patch to install after the maintainers of the mail transfer agent identified a serious flaw that could allow a remote attacker to crash the server or possibly obtain remote code execution.
The vulnerability is not quite as serious as the one identified in early September, which was a simple path to obtain root privileges on a vulnerable server, but it is concerning enough that the Exim maintainers released an announcement about the upcoming patched release before it was even ready. The bug can be exploited by sending a specially crafted message to the Exim mail server.
“There is a heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses a extraordinarily long EHLO string to crash the Exim process that is receiving the message. While at this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist,” the advisory from the Exim maintainers says.
Exim is among the more popular mail servers, especially in Linux environments, so vulnerabilities in the server become natural targets for opportunistic attackers.
The vulnerability affects versions 4.92 through 4.92.2 and the advisory says that it may be possible to use it to achieve remote code execution. The patched version is 4.92.3 and as there are no known mitigations for the vulnerability, patching is the only known protection. There is a proof-of-concept exploit included in the advisory.
“This could potentially be further exploited to execute arbitrary code on the host. The flaw was found internally by the QAX A-Team, who submitted the patch. However, the bug is trivial to exploit, and it’s likely attackers will begin actively probing for and attacking vulnerable Exim MTA systems in the near future,” said Scott Caveza, research engineering manager at Tenable.
In early September, researchers discovered a critical flaw in Exim that could be used to get root privileges in some situations. That vulnerability affected all versions of Exim up through 4.9.1 and had to do with the way that the mail server handled the initial TLS handshake.
“The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC,” the earlier Exim advisory said.
Exim is among the more popular mail servers, especially in Linux environments, so vulnerabilities in the server become natural targets for opportunistic attackers.