Analysis of recent Exim mail server vulnerabilities
For the past months, multiple critical vulnerabilities were found in Exim mail servers that could allow attackers to gain remote access and perform malicious activities: CVE-2019–16928, CVE-2019–15846 and CVE-2019–10149.
In this article, we’ll analyze these vulnerabilities and try to understand their root causes. Also, we’ll find out which computers were affected and why Exim mail servers need to be patched immediately.
Use the links below to quickly navigate and discover more about these vulnerabilities:
What is Exim?
Exim is one of the most popular open-source mail transfer agent (MTA) software used on Unix systems, which is deployed on 57% of all Internet’ email servers, according to recent Mail (MX) Server Survey. This makes Exim a very attractive target for hackers.
Being free and highly configurable software, Exim-running servers are widely used on operating systems such as Linux, Mac OSX, or Solaris. The number of active servers is estimated to be over 5 million, a report from the Shodan search engine concluded.
Analysis of Exim vulnerabilities
CVE-2019–16928
For the second time in September, the maintainers of the Exim project had to release an urgent patch for a critical security flaw found in the mailing server.
Tracked as CVE-2019–16928, the flaw was first reported by QAX-A-TEAM and described as a heap-based overflow vulnerability. This could potentially let attackers launch denial of service (DoS) attacks or remote code execution attacks against the affected mail servers.
The vulnerability exists due to a heap-based buffer overflow (memory corruption) in string_vformat, which is part of string.c, used in the EHLO (or HELO) Command Handler component.
Basically, this could let unauthorized remote hackers execute arbitrary system commands by sending a particular crafted EHLO string to the target mail server or crash the Exim process that is receiving the message.
“While at this mode of operation, Exim already dropped its privileges, other paths to reach the vulnerable code may exist. Remote code execution seems to be possible”,
said the Exim advisory.
If a hacker succeeds to gain access to the target server, he can install specific programs, view, change or delete sensitive data, and even create new accounts with full user privileges.
The Exim maintainers already released a security patch for this vulnerability, which was included in the Exim 4.92.3 version. As part of the fix, a Proof-of-Concept is also available to exploit the flaw.
Find out more details about the other two vulnerabilities by reading the full article on the Pentest-Tools.com blog.
