October 1, 2019

New Exim vulnerability Exhibits DoS servers, RCE risks

A fresh critical vulnerability was patched to avoid denial of service (DoS) or potentially remote code implementation assaults in the Exim mail transfer agent (MTA) software.

The CVE-2019-16928 safety bug that was reported by QAX-A-TEAM has also been corrected today in Exim version 4.92.3, and affects all versions from 4.92 up to (and including) 4.92.2.

“There is a heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses a extraordinary long EHLO string to crash the Exim process that is receiving the message,” says the security advisory.

“While at this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist” and “remote code execution seems to be possible,” adds Exim’s security team.

There is no other known mitigation according to the safety advisory for this safety error apart from updating all susceptible Exim servers.

This is the second critical Exim bug patched this month from another bug — tracked as CVE-2019-15846—affecting versions 4.80 to and including 4.92.1 enabled possible local or non-authenticated remote attackers to run programs that accept TLS contacts with their root privileges.

Servers that are vulnerable to assaults

According to an E-Soft Inc mail server study, Exim is now the most used MX server installed on more than 57 percent of the 1.740.809 mail servers accessible via the internet which represents just over 507.000 Exim servers.

The Shodan report estimates that the server count is approximately 5 million; over 3,300,000 servers use Exim 4.92, 46,000 servers are 4,92.1, and approximately 166,000 servers are 4.92.2.

What is crucial is that, if not patched urgently against CVE-2019-16928 and CVE-2019-15846, hundreds of thousands— if not millions of servers— are presently subjected to service denial (possibility of remote code implementation) and remote command implementation attacks.

Exim servers(1)

Previous assaults by Exim

A fault tracked as CVE-2019-13917 was patched in July with 4.92.1, which would allow local or remote attackers to run root privileged programs on uncommon servers.

Another safety problem identified in early June as CVE-2019-10149 enables hackers to remotely access MX servers operating from Exim 4.87 to 4.91 in some non-default settings, while local attackers could operate all the servers.

One week later, attackers began to scan and attack vulnerable Exim servers, which gain continuous root access via SSH, immediately after about 70% of all Exim servers were patched in the CVE-2019-10149 defect, as found by RiskIQ Threat Researcher Yonathan Klijnsma.

Exim update timeline

CVE-2019-10149 patch timeline (RiskIQ)

Microsoft also released a malware alert on Linux worm on 17 June, which is actively targeted at sensitive Exim variants of Azure Linux VMs.

“If you cannot install the above versions, ask your backported fix package maintainer for a variant,” tells the Security Team of Exim in today’s advisory.

“We will assist you with backporting the fix on request and depending on our resources (note that the Exim project formally does not support the versions prior to the present stable version).”

Leave a Reply

Your email address will not be published. Required fields are marked *