400K+ Exim MTA affected by overflow vulnerability on Linux/Unix

Exim is a free and open source message transfer agent (MTA) developed at the University of Cambridge. It is famous on Unix and Linux systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. There is a buffer overflow in base64d() of Exim MTA that allows an attacker to run code remotely. ALL versions of Exim MTA affected by overflow vulnerability i.e. CVE-2018-6789.

Exim MTA affected by overflow vulnerability

Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely:

To estimate the severity of this bug, Meh developed an exploit targeting SMTP daemon of exim. The exploitation mechanism used to achieve pre-auth remote code execution is described in the following paragraphs. In order to leverage this one byte overflow, it is necessary to trick memory management mechanism. It is highly recommended to have basic knowledge of heap exploitation before reading this section.

We developed the exploit with:

  • Debian(stretch) and Ubuntu(zesty)
  • SMTP daemon of Exim4 package installed with apt-get (4.89/4.88)
  • Config enabled (uncommented in default config) CRAM-MD5 authenticator (any other authenticator using base64 also works)
  • Basic SMTP commands (EHLO, MAIL FROM/RCPT TO) and AUTH

According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk. Patched version 4.90.1 is already released and we suggest to upgrade exim immediately.

How to fix bug on a Debain/Ubuntu Linux

You must upgrade your exim4 packages. For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5. Ubuntu user should update as follows:

  1. Ubuntu 14.04 LTS (Trusty Tahr): Version 4.82-3ubuntu2.4
  2. Ubuntu 16.04 LTS (Xenial Xerus): Version 4.86.2-2ubuntu2.3
  3. Ubuntu 17.10 (Artful Aardvark): Version 4.89-5ubuntu1.3
  4. Ubuntu 18.04 LTS (Bionic Beaver): Version 4.90.1-1ubuntu1

For the stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3. One can simply run the apt command/apt-get command to update the system:
$ sudo apt update
$ sudo apt upgrade
## verify it ##
$ dpkg --list exim4\*
$ debsecan | grep -i CVE-2018-6789

See “If Patch Number ( CVE ) Has Been Applied To Debian/Ubuntu Linux” for more info.

A note about CentOS/RHEL user

CentOS and RHEL 6/7 user should upgrade their server using the yum command method:
$ sudo yum update
## verify ##
$ rpm -q --changelog exim | grep CVE-2018-6789

There won’t be any fix for CentOS/RHEL version 5.x or older. Fedora use should run the dnf command:
$ sudo dnf update
## verify ##
$ rpm -q --changelog exim | grep CVE-2018-6789

See “If Patch Number ( CVE ) Has Been Applied To RHEL / CentOS Linux” for more info.

A note about cPanel

cPanel has patched this bug and released it in February. You can verify with the following command:
$ rpm -q --changelog exim | grep CVE-2018-6789
See how to upgrade cPanel server for more info here.

Read more:

We suggest that you read the following resources

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum