Exim is often found running on Ubuntu and Debian servers (on the latter it’s configured to be the default MTA), and is the mail transport agent used in the ubiquitous cPanel web hosting control panel.
A recent study found that Exim was running on over 56% of all of the publicly accessible mail servers on the internet.
The buffer overflow vulnerability in Exim was discovered by security researcher Meh Chang on 5 February 2018, and a security update (version 4.90.1) was released five days later.
Chang fears that many vulnerable systems have not still not installed the patch, and “at least 400,000 servers are at risk.”
The risk is that a malicious attacker might exploit the buffer overflow in Exim’s handling of base64 authentication by sending out a boobytrapped mail message.
According to Chang, such an attack could be used to run arbitrary code or as part of a denial-of-service attack.
“Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length.”
A patch has been available for the last month, and organisations which already have a regime of regular patching should already have addressed the vulnerability and have nothing to fear.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.