Exim suffers another ‘critical’ remote code execution flaw

Remember the critical remote code execution (RCE) vulnerability in the Exim email server, CVE-2019-15846, from mid-September?

Barely two weeks later, and the software’s maintainers have issued an advisory for another potentially troublesome bug, identified as CVE-2019-16928, which has been given the same critical rating.

Affecting all Exim versions between and including 4.92 to 4.92.2, this one’s described as:

A heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message.

The “currently known exploit” refers to a proof of concept created by QAX A-Team, which first reported the flaw.

This could lead to at least a denial of service crash in the software but also, more worryingly, the possibility of remote code execution.

The flaw isn’t being targeted in the wild yet, but there is a risk this might be a matter of time given that it looks relatively easy to exploit.

It’s not as if there aren’t plenty of Exim mail transfer agents to aim at – Shodan estimates the number running vulnerable versions to be around the 3.5 million mark, just over half the email servers on the internet.

Fixing the bug was simple enough, wrote Exim developer, Jeremy Harris:

It’s a simple coding error, not growing a string by enough.  One-line fix.

However, there are no mitigations for the bug so it’s a case of applying the patched version 4.92.3 as soon as possible.

Keeping up

Exim’s been in the wars recently. In addition to this week’s CVE-2019-16928 and last month’s CVE-2019-15846, July saw another RCE in the form of CVE-2019-13917, which arrived only weeks after CVE-2019-10149, a flaw leading to remote command execution.

All unpatched flaws matter but given the history of attackers targeting Exim, perhaps these matter more than most – attacks targeting CVE-2019-10149 were detected within a week of the flaw becoming public knowledge, for instance.

Earlier this year, Exim admins were prompted to hurry up and patch CVE-2018-6789, a flaw from February that at least half a million servers hadn’t patched weeks later.