About half a million email systems running the hugely popular Exim Mail Transfer Agent (MTA) have yet to be patched for a potentially dangerous security flaw made public earlier this week.
Disclosed to the software’s maintainers in early February by Meh Chang, from security firm Devcore Security Consulting, the Exim vulnerability is a one-byte buffer overflow in the software’s Base64 decoding.
Base64 decoding is such a fundamental function and therefore this bug can be triggered easily, causing remote code execution.
The researcher’s proof-of-concept exploit targeted this through the preamble to the SMTP daemon’s authentication process, before any emails are sent or received.
Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length.
This prompted Exim’s developers to respond:
Currently we’re unsure about the severity, we *believe* an exploit is difficult. A mitigation isn’t known.
By which they mean that defending against the flaw requires an update rather than a configuration tweak – referenced as CVE-2018-6789, updated version, 4.90.1, was first made available on 10 February.
The main takeaway is that this flaw affects all Exim versions going back to its first appearance in 1995 as a University of Cambridge Computing Service project to build a sophisticated alternative to the older Sendmail.
Would it really be hard to exploit? Granted, the PoC design involves a sophisticated sequence of memory manipulation but the MO is now in the public domain, forever.
The clock is ticking for unpatched servers and it’s probably best not to wait and find out if somebody can find a way to turn a remotely triggerable bug into an RCE.
Devcore put the number of vulnerable systems at “at least 400k servers”.
One up-to-date survey puts the number of public-facing email servers on the Internet at around 1.9 million, half of which identified the software they were running. Of these, 560,000 (or 57%) were running Exim, putting it way ahead of Postfix, and the now rapidly declining Sendmail. Some of those systems will already have been patched though.
Shodan, the search engine for internet-connected systems, pins the number of Exim servers in the low millions.
Exim is the sort of software it would be easy to ignore, even after a slight quickening in the number of flaws reported in it in the last year or so. Given its huge popularity, applying the update should be considered an urgent matter.
No exploits targeting the vulnerability have yet been recorded, but the cat’s out of the bag all the same.