400K+ Exim MTA affected by overflow vulnerability on Linux/Unix

Exim is a free and open source message transfer agent (MTA) developed at the University of Cambridge. It is famous on Unix and Linux systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. There is a buffer overflow in base64d() of Exim MTA that allows an attacker to run code remotely. ALL versions of Exim MTA affected by overflow vulnerability i.e. CVE-2018-6789.



ADVERTISEMENTS



Exim MTA affected by overflow vulnerability



Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely:

To estimate the severity of this bug, Meh developed an exploit targeting SMTP daemon of exim. The exploitation mechanism used to achieve pre-auth remote code execution is described in the following paragraphs. In order to leverage this one byte overflow, it is necessary to trick memory management mechanism. It is highly recommended to have basic knowledge of heap exploitation before reading this section. We developed the exploit with: Debian(stretch) and Ubuntu(zesty)

SMTP daemon of Exim4 package installed with apt-get (4.89/4.88)

Config enabled (uncommented in default config) CRAM-MD5 authenticator (any other authenticator using base64 also works)

Basic SMTP commands (EHLO, MAIL FROM/RCPT TO) and AUTH According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk. Patched version 4.90.1 is already released and we suggest to upgrade exim immediately.

How to fix bug on a Debain/Ubuntu Linux

You must upgrade your exim4 packages. For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5. Ubuntu user should update as follows:

Ubuntu 14.04 LTS (Trusty Tahr): Version 4.82-3ubuntu2.4 Ubuntu 16.04 LTS (Xenial Xerus): Version 4.86.2-2ubuntu2.3 Ubuntu 17.10 (Artful Aardvark): Version 4.89-5ubuntu1.3 Ubuntu 18.04 LTS (Bionic Beaver): Version 4.90.1-1ubuntu1

For the stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3. One can simply run the apt command/apt-get command to update the system:

$ sudo apt update

$ sudo apt upgrade

## verify it ##

$ dpkg --list exim4\*

$ debsecan | grep -i CVE-2018-6789

See “If Patch Number ( CVE ) Has Been Applied To Debian/Ubuntu Linux” for more info.

A note about CentOS/RHEL user

CentOS and RHEL 6/7 user should upgrade their server using the yum command method:

$ sudo yum update

## verify ##

$ rpm -q --changelog exim | grep CVE-2018-6789

There won’t be any fix for CentOS/RHEL version 5.x or older. Fedora use should run the dnf command:

$ sudo dnf update

## verify ##

$ rpm -q --changelog exim | grep CVE-2018-6789

See “If Patch Number ( CVE ) Has Been Applied To RHEL / CentOS Linux” for more info.

A note about cPanel

cPanel has patched this bug and released it in February. You can verify with the following command:

$ rpm -q --changelog exim | grep CVE-2018-6789

See how to upgrade cPanel server for more info here.

Read more:

We suggest that you read the following resources