A critical remote code execution flaw affects over half of the Internet's email servers, and there's no fix for it available, just yet.

The bug is a vulnerability in Exim, a mail transfer agent (MTA), which is software that runs on email servers and that relays emails from senders to recipients.

According to a survey conducted in March 2017, 56% of all of the Internet's email servers run Exim, with over 560,000 available online at the time. Another more recent report puts that number in the millions.

Two bugs discovered. One leads to remote code execution.

According to a security alert published last week on Exim's website, the Exim development team was notified of two bugs that impact Exim 4.88 and 4.89, the two latest Exim versions.

The most dangerous of the two bugs is the one tracked as CVE-2017-16943, which is a use-after-free vulnerability that leads to remote code execution on affected servers.

The bug affects Exim "chunking," a feature that allows the breaking and sending of emails in multiple "chunks." Exim servers break down, handle, and reconstruct chunks using special commands.

A Taiwanese security researcher named Meh Chang discovered that Exim mishandles BDAT commands, which leads to CVE-2017-16943, and allows an attacker to target Exim installations and execute malicious code on the underlying server.

Over 400,000 Exim installations may be affected

If Exim would be a marginally used app and chunking would be an obscure feature, this wouldn't be a problem. But they're not. According to another security researcher, there are over 400,000 Exim servers available online that have "chunking" enabled.

So someone dropped CVE-2017-16943 and CVE-2017-16944 over thanksgiving holidays; RCE in Exim Mail server; Shodan.io shows 400,000+ servers with the vuln CHUNKING feature. Patch it before the bad guys start raining shells on your mail servers. — Philip (@_miw) November 26, 2017

The Taiwanese researcher who discovered the bug published his findings, including proof-of-concept code, on Exim's public bug tracker. The researcher said the Exim team did not list an email address for reporting security flaws in private, a mistake that the Exim team admitted.

"A tentative patch exists but has not yet been confirmed," said Phil Pennock, one of the Exim developers, in a security alert published late last week.

With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set:



chunking_advertise_hosts =



That's an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic.

Mehqq_ also reported a second bug —CVE-2017-16944— which is only a simple denial of service (DoS) bug that causes an infinite loop and crashes Exim servers. This bug, too, is exploitable via the chunking feature and BDAT verbiage.

There's no timeline for a permanent fix, but Exim server owners should be on alert for Exim 4.90 coming out in the following days or weeks.