Exim vulnerability opens 400,000 servers to remote code execution

If you’re using the Exim mail transfer agent on your Internet-connected Unix-like systems and you haven’t yet upgraded to version 4.90.1, now is the time to do it as all previous versions contain a vulnerability that can be exploited to achieve remote code execution.

About the Exim remote code execution vulnerability

The buffer overflow vulnerability in the base64 decode function of Exim (CVE-2018-6789) was discovered and reported by Meh Chang of the DEVCORE research team in early February 2018, and a patch was released five days later.

“Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length,” the DEVCORE team explained in an advisory.

“In addition, this byte is controllable, which makes exploitation more feasible. Base64 decoding is such a fundamental function and therefore this bug can be triggered easily, causing remote code execution.”

Public exploit

Exim maintainers previously said that they believe exploiting the flaw would be difficult, and noted that there is no available mitigation for the bug.

The DEVCORE team developed, detailed and published on Tuesday an exploit targeting the SMTP daemon of Exim.

They also noted that the bug is present since the first commit of Exim, so all versions of the software before version 4.90.1 are affected.

A March 2017 report showed that approximately 56% of the mail servers visible on the Internet ran Exim.

“According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk,” the team added.