Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Critical Code Execution Flaw Found in Exim

Serious vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks have been found in the popular mail transfer agent (MTA) software Exim.

Serious vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks have been found in the popular mail transfer agent (MTA) software Exim.

Exim is an open source MTA for Unix systems created at the University of Cambridge. An analysis of more than one million mail servers conducted back in March showed that over 56 percent of them had been running Exim.

A researcher who uses the online moniker “Meh,” a member of the research team at Taiwan-based security firm DEVCORE, discovered that Exim is affected by a couple of potentially serious vulnerabilities.

One of them, tracked as CVE-2017-16943 and classified as critical, is a use-after-free bug related to a feature called “chunking.” It allows a remote attacker to execute arbitrary code or cause a DoS condition via specially crafted BDAT commands.

Chunking is a feature that allows sending emails in chunks. BDAT commands specify the length of the binary data packet so that the Simple Mail Transfer Protocol (SMTP) host does not have to continuously scan for the end of the data.

Sending specially crafted BDAT commands to the targeted mail server can trigger the use-after-free vulnerability and allow an attacker to execute arbitrary code. There are reportedly more than 400,000 servers with the vulnerable chunking feature visible on the Internet.

Advertisement. Scroll to continue reading.

The second flaw discovered by Meh is CVE-2017-16944, a high severity issue that allows a remote attacker to cause a DoS condition using specially crafted BDAT commands.

In the advisory informing Exim users of the vulnerability, developers said the issue had been disclosed publicly before a patch could be released. Meh said he did not find an email address for privately reporting security holes so he reported it via the Exim bug tracker. However, the bug tracker did not have an option for setting reports to private and the researcher wrongly assumed that security bugs are set to private by default. Exim developers have taken steps to prevent such incidents in the future.

The details of the code execution vulnerability, along with proof-of concept (PoC) code, were posted to the Exim Bugzilla on November 23. A workaround that involves disabling the chunking feature and a patch were made available within two days. Only the source code patch is available – the fix for CVE-2017-16943 will likely be included in the next release.

Exim is currently at version 4.89 and the flaw was apparently introduced in 4.88 when the chunking feature was added. Developers are still working on a patch for CVE-2017-16944.

Just over a dozen vulnerabilities have been identified in Exim since 2010, and only five of them, reported several years ago, allow remote code execution without authentication.

Related: Bug Caused Microsoft Outlook to Send Emails in Cleartext

Related: Flaw Allowed Hackers to Steal Emails From Verizon Users

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.