Exim is the most used MX server with more than 57% installations on mail servers reachable on the Internet. Exim has released an urgent security update today. The vendor had released an early security warning to install the updates immediately after release.
The vulnerability is tracked as CVE-2019-16928 and classified as heap-based buffer overflow (CWE-122). The flaw exists in ‘string_vformat’ in file string.c‘. This vulnerability allows attackers to potentially execute arbitrary code or crash the application. The bug is essentially a simple coding error where the length of the EHLO string was not taken into consideration and was corrected with a one line fix handling the length of string sent to the buffer.
fig. fixed patch for vulnerability
A Proof of Concept has been published by Jeremy Harris of Exim Development Team. While this exploit uses a specially crafted EHLO string to only crash the Exim process, there could be other commands used to execute arbitrary code. An unauthenticated remote attacker can cause denial of service by sending an extended EHLO string with large amounts of data.
A month ago, Exim mail server was patched for a critical remote code execution vulnerability (CVE-2019-15846) which allowed a remote unauthenticated attacker to execute programs with root privileges. In July, Exim was patched for another critical remote command execution vulnerability (CVE-2019-10149) which was actively exploited in the wild. Get detailed information about these vulnerabilities in our blogs on CVE-2019-15846 and CVE-2019-10149. We request system administrators to install the latest updates for Exim Mail Server as soon as possible.
Exim Mail Server versions 4.92 through 4.92.2.
An attacker can execute arbitrary code or cause denial of service.