Buffer overflow in Unix mailer Exim imperils 400,000 email servers
Bug already plugged, get updating
Posted in Security, 7th March 2018 17:33 GMT
Researchers have uncovered a critical buffer overflow vulnerability in all versions of the Exim mail transfer agent.
The flaw (CVE-2018-6789) leaves an estimated 400,000 email servers at potential risk to remote code execution-style attacks. Fortunately a patched version (Exim version 4.90.1) is already available.
The bug might be exploited by unauthenticated users rather than hackers who have already broken into targeted systems or scored login credentials through some other (doubtless nefarious) means.
Meh Chang, the Taiwanese researcher from the DEVCORE research team who uncovered the flaw, was able to bypass security mitigations built into Exim (such as Address Space Layout Randomisation) in developing a proof-of-concept exploit.
The bug stems from (previously dormant) flaws introduced since the first commit of Exim, so all versions prior to the latest update are affected. More details about the vulnerability can be found here.
In an advisory, the developers behind Exim confirmed the development of a patch while playing down the severity of the flaw.
There is a buffer overflow in base64d(), if some pre-conditions are met.
Using a handcrafted message, remote code execution seems to be possible.
A patch exists already and is being tested.
Currently we're unsure about the severity, we *believe*, an exploit is difficult. A mitigation isn't known.
The bug was reported to the Exim team on Monday and they managed to develop and release a fix only two days later.
Another coding error that also represented a remote code execution risk in Exim was discovered and plugged in November. ®