A critical remote code vulnerability in the Exim mail transfer agent (MTA), tracked as CVE-2018-6789, affects most of the email servers online. It has been estimated that as in March 2017, the total number of Internet’s email servers running Exim was over 560,000, that corresponds to 56% of all Mail (MX) Server online.
“We reported an overflow vulnerability in the base64 decode function of Exim on 5 February, 2018, identified as CVE-2018-6789. This bug exists since the first commit of exim, hence ALL versions are affected.” reads the blog post published by security firm Devcore.
“According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk. Patched version 4.90.1 is already released and we suggest to upgrade exim immediately.”
According to Shodan, the number of Exim Servers exposed online is more than 4 million, most of them in the US.
The flaw was discovered by the security researcher Meh Chang, which reported it to the Exim maintainers on February 2.
On February 10, the Exim team released Exim version 4.90.1 that addresses the flaw.
The researchers developed an exploit targeting SMTP daemon of Exim leverages a one-byte buffer overflow in the base64 decode function of Exim by tricking memory management mechanism.
“There is a buffer overflow in base64d(), if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible. A patch exists already and is being tested.” reads the security advisory published by the Exim team.
Exim server owners should install the Exim 4.90.1 update as soon as possible.
Below the vulnerability timeline (UTC)
In November the Exim team warned of other flaws through the public bug tracker.
(Security Affairs – Exim MTA servers, RCE)