Exim developers fixed a new critical vulnerability

The developers updated Exim to version 4.92.3, fixing a new critical DoS vulnerability, which theoretically allowed an attacker to execute malicious code on the target server.

The vulnerability was identified by CVE-2019-16928 and was discovered by QAX-A-TEAM.

The problem is with the heap buffer overflow in string_vformat (string.c) that occurs when Exim processes an extremely long string in the Extended HELO (EHLO) of the Extended Simple Mail Transfer Protocol (ESMTP) command message.

“There is a heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses a extraordinary long EHLO string to crash the Exim process that is receiving the message. While at this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist and remote code execution seems to be possible”, — Exim’s security team said.

In fact, this means that an attacker can inject malicious code into EHLO, thereby remotely provoking an error in the server. This can lead to both denial of service and code execution, researchers warn.

Although no attacks on this vulnerability have been detected yet, a PoC exploit has already been published in the public domain.

Recalling, this is not the first serious problem in Exim in recent times. For example, last summer Exim found a bug CVE-2019-10149, which allowed attackers to run commands as root on remote mail servers.

Soon was found another critical vulnerability, CVE-2019-15846, which also allowed the execution of arbitrary code with root privileges. According to a mail server survey published by E-Soft Inc, Exim is currently the most used MX server being installed on more than 57% out of a total of 1,740,809 mail servers reachable on the Internet, representing just over 507,000 Exim servers.

What’s important is that hundreds of thousands — if not millions of servers — are currently exposed to denial of service (possibly to remote code execution) and remote command execution attacks if not urgently patched against CVE-2019-16928 and CVE-2019-15846.