This article is more than 1 year old
Stop us if you've heard this one before: Yet another critical flaw threatens Exim servers
Remote code flaw sparks calls for major updates
Admins of Linux and Unix boxes running Exim would be well-advised to update the software following the disclosure of another critical security flaw.
The Exim 4.92.3 patch, released on September 28th, includes a fix to close up the CVE-2019-16928 flaw.
Discovered by bug-hunters with the QAX A-Team, the vulnerability is caused by a buffer overflow error that occurs when Exim processes an extremely long string in an Extended HELO (EHLO) Extended Simple Mail Transfer Protocol (ESMTP) command message.
In practice, an attacker could write an exploit into the EHLO message and remotely trigger the bug to get control over the targeted server. So far, no active attacks on the flaw have been reported in the wild.
"It's a simple coding error, not growing a string by enough," said Jeremy Harris, the Exim dev who patched the flaw in what he described as a simple "one-line fix."
Exim marks the spot… of remote code execution: Patch due out today for 'give me root' flaw in mail serverREAD MORE
Debian and Ubuntu have already posted updates to address the bug in their respective distros, so most admins should be able to get a fixed Exim build through their package managers. Interestingly, the flaw is only present in Exim 4.92 and later, so boxes that still use 4.91 or earlier are not vulnerable.
The update arrives just a few weeks after Exim was patched for another critical RCE bug. That flaw, designated CVE-2019-15846, would have allowed a remote attacker to run code and commands with root level privileges.
While not particularly well known, Exim is an extremely common component for Unix and Linux servers and workstations where it is used as a message transfer agent (MTA) to handle emails.
Thanks to the advent of Shodan and other IP-crawling tools, it has been shown that there are millions of internet-facing that use Exim, making the software an attractive target for exploits. ®