A critical vulnerability affects hundreds of thousands of email servers. A fix has been released but this flaw affects more than half of the Internet's email servers, and patching the issue will take weeks if not months.

The bug is a vulnerability in Exim, a mail transfer agent (MTA) —software that runs on email servers and which relays emails from senders to recipients.

According to a survey conducted in March 2017, 56% of all of the Internet's email servers run Exim, with over 560,000 available online at the time. Another more recent report puts that number in the millions.

The bug allows for remote code execution

A Taiwanese security researcher named Meh Chang discovered the bug, which he reported to the Exim crew on February 2. The Exim team released Exim distribution 4.90.1 on February 10 that fixes the RCE issue.

The bug —tracked as CVE-2018-6789— is categorized as a "pre-auth remote code execution," meaning an attacker could trick the Exim email server into running malicious commands before the attacker would need to authenticate on the server.

The actual bug is a one-byte buffer overflow in the base64 decode function of Exim and affects all Exim versions ever released.

Chang described the bug in a blog post released earlier today, detailing basic steps for exploiting Exim's SMTP daemon.

No PoC or exploit code available

In a security advisory, the Exim team publicly acknowledged the issue. "Currently we're unsure about the severity, we *believe*, an exploit is difficult. A mitigation isn't known," the Exim team said.

Since Exim 4.90.1's release, updated Exim versions have trickled down to Linux distros used primarily in data centers, but the question remains about the number of unpatched systems that remain online. Taking into account that Exim is by far the most popular mail agent, CVE-2018-6789 opens a large attack surface, and Exim server owners should look into deploying the Exim 4.90.1 update as soon as possible.

At the time of writing, there is no public exploit code for taking advantage of vulnerable Exim servers, but this will likely change in the days following Chang's blog post.

Chang also discovered two other Exim bugs last year, which also led to remote code execution. Those bugs were patched in Exim 4.90.