Critical Code Execution Flaw Found in Exim

Serious vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks have been found in the popular mail transfer agent (MTA) software Exim.

Exim is an open source MTA for Unix systems created at the University of Cambridge. An analysis of more than one million mail servers conducted back in March showed that over 56 percent of them had been running Exim.

A researcher who uses the online moniker “Meh,” a member of the research team at Taiwan-based security firm DEVCORE, discovered that Exim is affected by a couple of potentially serious vulnerabilities.

One of them, tracked as CVE-2017-16943 and classified as critical, is a use-after-free bug related to a feature called “chunking.” It allows a remote attacker to execute arbitrary code or cause a DoS condition via specially crafted BDAT commands.

Chunking is a feature that allows sending emails in chunks. BDAT commands specify the length of the binary data packet so that the Simple Mail Transfer Protocol (SMTP) host does not have to continuously scan for the end of the data.

Sending specially crafted BDAT commands to the targeted mail server can trigger the use-after-free vulnerability and allow an attacker to execute arbitrary code. There are reportedly more than 400,000 servers with the vulnerable chunking feature visible on the Internet.

The second flaw discovered by Meh is CVE-2017-16944, a high severity issue that allows a remote attacker to cause a DoS condition using specially crafted BDAT commands.

In the advisory informing Exim users of the vulnerability, developers said the issue had been disclosed publicly before a patch could be released. Meh said he did not find an email address for privately reporting security holes so he reported it via the Exim bug tracker. However, the bug tracker did not have an option for setting reports to private and the researcher wrongly assumed that security bugs are set to private by default. Exim developers have taken steps to prevent such incidents in the future.

The details of the code execution vulnerability, along with proof-of concept (PoC) code, were posted to the Exim Bugzilla on November 23. A workaround that involves disabling the chunking feature and a patch were made available within two days. Only the source code patch is available – the fix for CVE-2017-16943 will likely be included in the next release.

Exim is currently at version 4.89 and the flaw was apparently introduced in 4.88 when the chunking feature was added. Developers are still working on a patch for CVE-2017-16944.

Just over a dozen vulnerabilities have been identified in Exim since 2010, and only five of them, reported several years ago, allow remote code execution without authentication.

Related: Bug Caused Microsoft Outlook to Send Emails in Cleartext

Related: Flaw Allowed Hackers to Steal Emails From Verizon Users