Buffer overflow in Unix mailer Exim imperils 400,000 email servers

Bug already plugged, get updating

server

Researchers have uncovered a critical buffer overflow vulnerability in all versions of the Exim mail transfer agent.

The flaw (CVE-2018-6789) leaves an estimated 400,000 email servers at potential risk to remote code execution-style attacks. Fortunately a patched version (Exim version 4.90.1) is already available.

The bug might be exploited by unauthenticated users rather than hackers who have already broken into targeted systems or scored login credentials through some other (doubtless nefarious) means.

Meh Chang, the Taiwanese researcher from the DEVCORE research team who uncovered the flaw, was able to bypass security mitigations built into Exim (such as Address Space Layout Randomisation) in developing a proof-of-concept exploit.

Structure of a handcrafted message capable of exploiting the Exim bug

Structure of a handcrafted message capable of exploiting the Exim bug

The bug stems from (previously dormant) flaws introduced since the first commit of Exim, so all versions prior to the latest update are affected. More details about the vulnerability can be found here.

In an advisory, the developers behind Exim confirmed the development of a patch while playing down the severity of the flaw.

There is a buffer overflow in base64d(), if some pre-conditions are met.

Using a handcrafted message, remote code execution seems to be possible.

A patch exists already and is being tested.

Currently we're unsure about the severity, we *believe*, an exploit is difficult. A mitigation isn't known.

The bug was reported to the Exim team on Monday and they managed to develop and release a fix only two days later.

Another coding error that also represented a remote code execution risk in Exim was discovered and plugged in November. ®

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018