About half a million email systems running the hugely popular Exim Mail Transfer Agent (MTA) have yet to be patched for a potentially dangerous security flaw made public earlier this week.
Disclosed to the software’s maintainers in early February by Meh Chang, from security firm Devcore Security Consulting, the Exim vulnerability is a one-byte buffer overflow in the software’s Base64 decoding.
Notes Chang:
Base64 decoding is such a fundamental function and therefore this bug can be triggered easily, causing remote code execution.
The researcher’s proof-of-concept exploit targeted this through the preamble to the SMTP daemon’s authentication process, before any emails are sent or received.
Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length.
This prompted Exim’s developers to respond:
Currently we’re unsure about the severity, we *believe* an exploit is difficult. A mitigation isn’t known.
By which they mean that defending against the flaw requires an update rather than a configuration tweak – referenced as CVE-2018-6789, updated version, 4.90.1, was first made available on 10 February.
The main takeaway is that this flaw affects all Exim versions going back to its first appearance in 1995 as a University of Cambridge Computing Service project to build a sophisticated alternative to the older Sendmail.
Would it really be hard to exploit? Granted, the PoC design involves a sophisticated sequence of memory manipulation but the MO is now in the public domain, forever.
The clock is ticking for unpatched servers and it’s probably best not to wait and find out if somebody can find a way to turn a remotely triggerable bug into an RCE.
Devcore put the number of vulnerable systems at “at least 400k servers”.
One up-to-date survey puts the number of public-facing email servers on the Internet at around 1.9 million, half of which identified the software they were running. Of these, 560,000 (or 57%) were running Exim, putting it way ahead of Postfix, and the now rapidly declining Sendmail. Some of those systems will already have been patched though.
Shodan, the search engine for internet-connected systems, pins the number of Exim servers in the low millions.
Exim is the sort of software it would be easy to ignore, even after a slight quickening in the number of flaws reported in it in the last year or so. Given its huge popularity, applying the update should be considered an urgent matter.
No exploits targeting the vulnerability have yet been recorded, but the cat’s out of the bag all the same.
David Bennett
Apart from asking one’s host whether they are running Exim, how would one go about finding out whether one’s host is using it?
R0ni
When can we expect these urgent exim patches from Sophos? (I believe quite a number of sophos products use exim)
Paul Ducklin
Only one product uses Exim, namely the Sophos UTM. Info about our patch can be found here:
https://community.sophos.com/kb/en-us/131820
HtH.
John Leslie
BTW in your KB article https://community.sophos.com/kb/en-us/134199# on Exim in XG I can’t got to the OpenWall link as Malwarebytes says the website is iffy. No idea if a false positive, but thought I’d mention it.
Paul Ducklin
You probably need to take that up with Malwarebytes. The detection may well depend on the settings you’ve chosen (or that are their defaults), so we can’t advise you there…
…but it might be because the page we link to is associated with bug disclosures and therefore could be considered a “hacking site”.
The page we link to is just a text-based posting by the finders of the bug that lets you see what they disclosed and how. There’s no exploit code in that particular posting, just a description.