CVE-2019-16928: Critical Buffer Overflow Flaw in Exim is Remotely Exploitable


Exim Internet Mailer, the popular message transfer agent (MTA) for Unix hosts found on nearly 5 million systems, is back in the news. Earlier this month, CVE-2019-15846, a critical remote code execution (RCE) flaw, was patched in Exim 4.92.2. In June, Tenable blogged about CVE-2019-10149, another RCE, which saw exploit attempts within a week of public disclosure. On September 28, Exim maintainers published an advance notice concerning a new vulnerability in Exim 4.92 up to and including 4.92.2. From our analysis of Shodan results, over 3.5 million systems may be affected.

 

CVE-2019-16928 is a heap-based buffer overflow vulnerability due to a flaw in string_vformat() found in string.c. As noted in the bug report, the flaw was a simple coding error where the length of the string was not properly accounted for, leading to a buffer overflow condition. The flaw can be exploited by an unauthenticated remote attacker who could use a large crafted Extended HELO (EHLO) string to crash the Exim process that receives the message. This could potentially be further exploited to execute arbitrary code on the host. The flaw was found internally by the QAX A-Team, who submitted the patch. However, the bug is trivial to exploit, and it’s likely attackers will begin actively probing for and attacking vulnerable Exim MTA systems in the near future.

 

The Exim team released version 4.92.3 on September 29 to address CVE-2019-16928. Administrators are encouraged to upgrade as soon as possible. No mitigations exist at this time.

 

To read the full analysis by Tenable click here.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: