A ‘critical’ security vulnerability has been discovered in the Exim mail server that requires admins’ urgent attention.
Affecting all versions from 4.80 up to and including 4.92.1, Exim’s maintainers have offered a general description of the flaw (CVE-2019-15846) discovered in July 2019 by a researcher identified as ‘Zerons’.
Subsequently confirmed by engineers working for Qualys, the flaw is a buffer overflow in the part of the TLS negotiation connected to Server Name Indication (SNI). SNI is a way web hosts present the certificates for multiple HTTPS-secured TLS servers sitting behind the same IP address so that incoming connections are directed to the correct one.
It’s as serious a flaw as it’s possible to imagine in a mail server because an attacker could exploit it either locally or from the internet with no special privileges by:
Sending an SNI ending in a backslash-null sequence during the initial TLS handshake.
Alternatively, attackers could attempt the same thing – achieving root on the target – using a crafted client TLS certificate.
Currently, there are no reported exploits for the flaw, which is believed to exist right now only as a proof of concept. Nevertheless:
If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS library, so both GnuTLS and OpenSSL are affected.
What to do
Exim is easily the most popular open-source mail server on the internet, accounting for almost 60% of those which are visible according to estimates.
An unwise few might not have TLS turned on but Exim admins are still advised to update to 4.92.2, which fixes the issue (disabling TLS resolves the problem but is not recommended).
Exim servers running versions prior to the vulnerability’s appearance in v4.80 (2012) are not at risk but will nevertheless be vulnerable to a number of others such as the CVE-2018-6789 remote code execution flaw from last year.
Note. The Sophos UTM and Sophos XG Firewall products use Exim, but strip out the SNI string before it gets to Exim so this bug can’t be triggered. (See Sophos Knowledge Base article 134597.) We’re going to apply the patch, but it will arrive in a scheduled maintenance release rather than as an ‘out-of-band’ emergency update.