Buffer overflow in Unix mailer Exim imperils 400,000 email servers

Bug already plugged, get updating

By John Leyden


Researchers have uncovered a critical buffer overflow vulnerability in all versions of the Exim mail transfer agent.

The flaw (CVE-2018-6789) leaves an estimated 400,000 email servers at potential risk to remote code execution-style attacks. Fortunately a patched version (Exim version 4.90.1) is already available.

The bug might be exploited by unauthenticated users rather than hackers who have already broken into targeted systems or scored login credentials through some other (doubtless nefarious) means.

Meh Chang, the Taiwanese researcher from the DEVCORE research team who uncovered the flaw, was able to bypass security mitigations built into Exim (such as Address Space Layout Randomisation) in developing a proof-of-concept exploit.

Structure of a handcrafted message capable of exploiting the Exim bug

The bug stems from (previously dormant) flaws introduced since the first commit of Exim, so all versions prior to the latest update are affected. More details about the vulnerability can be found here.

In an advisory, the developers behind Exim confirmed the development of a patch while playing down the severity of the flaw.

There is a buffer overflow in base64d(), if some pre-conditions are met.

Using a handcrafted message, remote code execution seems to be possible.

A patch exists already and is being tested.

Currently we're unsure about the severity, we *believe*, an exploit is difficult. A mitigation isn't known.

The bug was reported to the Exim team on Monday and they managed to develop and release a fix only two days later.

Another coding error that also represented a remote code execution risk in Exim was discovered and plugged in November. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Dormant Linux kernel vulnerability finally slayed

Just, er, eight years later

Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy'

Red Hat Enterprise and CentOS users at risk

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

US sanctions on Turkey for Russia purchases could ground Brit F-35s

+Comment Oi, remember who you picked as our one-and-only engine supplier?

Don't be a turkey: Help Linus Torvalds finish Linux 4.14 before it ruins Thanksgiving

RC7 is out and Linus would like to avoid rc8 if possible

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

Docker fave Alpine Linux suffers bug miscreants can exploit to poison containers

Now that's poetic, Justicz: Update apk and images now

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry