Buffer overflow in Unix mailer Exim imperils 400,000 email servers

Bug already plugged, get updating

By John Leyden

Posted in Security, 7th March 2018 17:33 GMT

Researchers have uncovered a critical buffer overflow vulnerability in all versions of the Exim mail transfer agent.

The flaw (CVE-2018-6789) leaves an estimated 400,000 email servers at potential risk to remote code execution-style attacks. Fortunately a patched version (Exim version 4.90.1) is already available.

The bug might be exploited by unauthenticated users rather than hackers who have already broken into targeted systems or scored login credentials through some other (doubtless nefarious) means.

Meh Chang, the Taiwanese researcher from the DEVCORE research team who uncovered the flaw, was able to bypass security mitigations built into Exim (such as Address Space Layout Randomisation) in developing a proof-of-concept exploit.

Structure of a handcrafted message capable of exploiting the Exim bug

The bug stems from (previously dormant) flaws introduced since the first commit of Exim, so all versions prior to the latest update are affected. More details about the vulnerability can be found here.

In an advisory, the developers behind Exim confirmed the development of a patch while playing down the severity of the flaw.

There is a buffer overflow in base64d(), if some pre-conditions are met.

Using a handcrafted message, remote code execution seems to be possible.

A patch exists already and is being tested.

Currently we're unsure about the severity, we *believe*, an exploit is difficult. A mitigation isn't known.

The bug was reported to the Exim team on Monday and they managed to develop and release a fix only two days later.

Another coding error that also represented a remote code execution risk in Exim was discovered and plugged in November. ®

Sign up to our NewsletterGet IT in your inbox daily

13 Comments

More from The Register

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Dormant Linux kernel vulnerability finally slayed

Just, er, eight years later

US sanctions on Turkey for Russia purchases could ground Brit F-35s

+Comment Oi, remember who you picked as our one-and-only engine supplier?

Don't be a turkey: Help Linus Torvalds finish Linux 4.14 before it ruins Thanksgiving

RC7 is out and Linus would like to avoid rc8 if possible

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

Until last week, you could pwn KDE Linux desktop with a USB stick

Tweak VFAT volume to execute arbitrary code

At Christmas, do you give peas a chance? Go cold turkey? What is the perfect festive feast?

True meaning of the season is all about how you overindulge

Sounds painful: Audio code bug lets users, apps get root on Linux

Cisco discusses Advanced Linux Sound Architecture mess before formal CVE release

Dirty COW redux: Linux devs patch botched patch for 2016 mess

This time it's a 'Huge Dirty COW' and Linus Torvalds has cleaned up after it