E xim is a free and open source message transfer agent (MTA) developed at the University of Cambridge. It is famous on Unix and Linux systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. There is a buffer overflow in base64d() of Exim MTA that allows an attacker to run code remotely. ALL versions of Exim MTA affected by overflow vulnerability i.e. CVE-2018-6789.
Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely:
To estimate the severity of this bug, Meh developed an exploit targeting SMTP daemon of exim. The exploitation mechanism used to achieve pre-auth remote code execution is described in the following paragraphs. In order to leverage this one byte overflow, it is necessary to trick memory management mechanism. It is highly recommended to have basic knowledge of heap exploitation before reading this section.
We developed the exploit with:
According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk. Patched version 4.90.1 is already released and we suggest to upgrade exim immediately.
You must upgrade your exim4 packages. For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5. Ubuntu user should update as follows:
For the stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3. One can simply run theapt command/apt-get command to update the system:
$ sudo apt update $ sudo apt upgrade ## verify it ## $ dpkg --list exim4\* $ debsecan | grep -i CVE-2018-6789
See “ If Patch Number ( CVE ) Has Been Applied To Debian/Ubuntu Linux ” for more info.
CentOS and RHEL 6/7 user should upgrade their server using theyum command method:
$ sudo yum update ## verify ## $ rpm -q --changelog exim | grep CVE-2018-6789
There won’t be any fix for CentOS/RHEL version 5.x or older. Fedora use should run the dnf command:
$ sudo dnf update ## verify ## $ rpm -q --changelog exim | grep CVE-2018-6789
See “ If Patch Number ( CVE ) Has Been Applied To RHEL / CentOS Linux ” for more info.
We suggest that you read the following resources
The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics viaRSS/XML feed or weekly email newsletter .