Meh, 2017-12-11
Link: https://devco.re/blog/2017/12/11/Exim-RCE-advisory-CVE-2017-16943-en/
On 23 November, 2017, we reported two vulnerabilities to Exim. These bugs exist in the SMTP daemon and attackers do not need to be authenticated, including CVE-2017-16943 for a use-after-free (UAF) vulnerability, which leads to Remote Code Execution (RCE); and CVE-2017-16944 for a Denial-of-Service (DoS) vulnerability.
About Exim
Exim is a message transfer agent (MTA) used on Unix systems. Exim is an open source project and is the default MTA on Debian GNU/Linux systems. According to our survey, there are about 600k SMTP servers running exim on 21st November, 2017 (data collected from scans.io). Also, a mail server survey by E-Soft Inc. shows over half of the mail servers identified are running exim.
Affected
- Exim version 4.88 & 4.89 with chunking option enabled.
- According to our survey, about 150k servers affected on 21st November, 2017 (data collected from scans.io).
Vulnerability Details
Through our research, the following vulnerabilies were discovered in Exim. Both vulnerabilies involve in BDAT command. BDAT is an extension in SMTP protocol, which is used to transfer large and binary data. A BDAT command is like BDAT 1024 or BDAT 1024 LAST. With the SIZE and LAST declared, mail servers do not need to scan for the end dot anymore. This command was introduced to exim in version 4.88, and also brought some bugs.
- Use-after-free in receive_msg leads to RCE (CVE-2017-16943)
- Incorrect BDAT data handling leads to DoS (CVE-2017-16944)