Hot on the heels of a patch for a critical RCE Exim flaw comes another one that fixes a denial of service (DoS) condition (CVE-2019-16928) that could also be exploited by attackers to pull off remote code execution.
With no mitigations available at this time, Exim maintainers urge admins to upgrade to version 4.92.3, which has been released on Sunday.
About Exim and the flaw (CVE-2019-16928)
According to E-Soft, Exim is the most widely used mail transfer agent (MTA) software.
Part of its popularity is due to it being bundled with most Unix-like systems.
CVE-2019-16928 is heap-based buffer overflow in string_vformat found in string.c, and affects Exim versions 4.92 – 4.92.2 (but not v4.91 or earlier). It was discovered and reported by the QAX A-Team.
“The flaw can be exploited by an unauthenticated remote attacker who could use a large crafted Extended HELO (EHLO) string to crash the Exim process that receives the message. This could potentially be further exploited to execute arbitrary code on the host,” Tenable researcher Scott Caveza pointed out.
Exim maintainers say that the currently known exploit uses a extraordinary long EHLO string to crash the Exim process that is receiving the message, but that other paths to reach the vulnerable code may exist.
The PoC exploit code for triggering the DoS condition is documented in the bug report.
Exim flaws are loved by attackers. There is currently no indication that this flaw is being actively exploited, but we can expect them soon enough given that the bug is trivial to exploit.
As mentioned before, Exim v4.92.3 fixes the vulnerability. Ubuntu and Debian have also already released updated Exim packages.