RCE flaw in Exim MTA affects half of the email servers online

A critical RCE vulnerability in the Exim mail transfer agent (MTA), tracked as CVE-2018-6789, affects most of the email servers online.

A critical remote code vulnerability in the Exim mail transfer agent (MTA), tracked as CVE-2018-6789, affects most of the email servers online. It has been estimated that as in March 2017, the total number of Internet’s email servers running Exim was over 560,000, that corresponds to 56% of all Mail (MX) Server online.

“We reported an overflow vulnerability in the base64 decode function of Exim on 5 February, 2018, identified as CVE-2018-6789. This bug exists since the first commit of exim, hence ALL versions are affected.” reads the blog post published by security firm Devcore.

“According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk. Patched version 4.90.1 is already released and we suggest to upgrade exim immediately.”

According to Shodan, the number of Exim Servers exposed online is more than 4 million, most of them in the US.

The flaw was discovered by the security researcher Meh Chang, which reported it to the Exim maintainers on February 2.

On February 10, the Exim team released Exim version 4.90.1  that addresses the flaw.

The researchers developed an exploit targeting SMTP daemon of Exim leverages a one-byte buffer overflow in the base64 decode function of Exim by tricking memory management mechanism.

“There is a buffer overflow in base64d(), if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible. A patch exists already and is being tested.” reads the security advisory published by the Exim team.

Exim server owners should install the Exim 4.90.1 update as soon as possible.

Below the vulnerability timeline (UTC)

• 2018-02-05 Report from Meh Chang <meh@devco.re> via exim-security mailing list
• 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko) CVE-2018-6789
• 2018-02-07 Announcement to the public via exim-users, exim-maintainers mailing lists and on oss-security mailing list
• 2018-02-08 16:50 Grant restricted access to the security repo for distro maintainers
• 2018-02-09 One distro breaks the embargo
• 2018-02-10 18:00 Grant public access to the our official git repo.

In November the Exim team warned of other flaws through the public bug tracker.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Exim MTA servers, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]