vSOC SPOT Report: Exim Remote Code Execution Vulnerability

Overview

On March 6th, 2018, a security researcher by the name of Meh Chang of Devcore, a Taiwanese security consulting firm, published a remote code execution vulnerability that is present in the mail transfer agent, Exim. Exim is a mail transfer agent (MTA for short) for Unix servers that was developed at the University of Cambridge. Its use is very widespread, estimated to be used on hundreds of thousands of different servers, and it is the default mail transfer agent on some popular web control panels, such as cPanel. It is also the default mail transfer agent in the Debian and Ubuntu Linux distributions. Due to the widespread use of Exim, we believe this vulnerability is particularly dangerous. The vulnerability was first disclosed to Exim on February 2nd, 2018, and a patch was published on February 10th to resolve this issue. This vulnerability is currently being tracked under CVE-2018-6789.

Attack Details

The attack exploits the Base64 decode function of the Exim MTA. The AUTH function of Exim, in most cases, uses Base64 encoding to communicate with the client. Exim uses a buffer to store the decoded Base64 data. Chang found that it was possible to use a certain invalid Base64 string to cause Exim to allocate less space for the buffer than it consumed, creating a buffer overflow. Normally this buffer overflow is harmless, but it is possible to craft the Base64 string to a certain length to overwrite critical data.

Remote execution is possible depending on the use of the Access Control List (ACL) strings in Exim. Chang found that it was possible to overwrite the ACL strings, and then initiate an ACL Check using the ‘MAIL FROM’ SMTP command. When an ACL Check is performed, any code in these strings will be executed if it encounters ${run{cmd}}.

Potential Impact

There have been no known active exploits or proofs of concept of this vulnerability, but this is expected to change in the days following the disclosure due to the ease of exploiting it. Also, the estimated number of machines affected by this vulnerability is very high. A successful exploit of this vulnerability could allow the attacker to gain full access to the mail server. This could then be used to compromise privileged information through the use of reading emails, or the copying, modifying, sending, or deleting of email. This server can then be used as a launching point for further attacks within your network. Even if you are not using Exim within your environment for mail, you could still be vulnerable if Exim is installed and there are open SMTP ports that allow incoming mail.

What You Should Do

Exim has already published Exim 40.9.1 to fix this vulnerability. ALL versions of Exim prior to 40.9.1 are vulnerable to this. Patches are available for Debian, Fedora, SuSE, and Ubuntu Linux distributions as standard packages. Some vulnerability scanners have already added checks for this vulnerability, such as Qualys, Rapid7 and Tenable. We would recommend you review your environment for any indication of vulnerable mail servers and ensure these are updated

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

• https://www.bleepingcomputer.com/news/security/vulnerability-affects-half-of-the-internets-email-servers/
• https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/