At least 400,000 servers are thought to be running a vulnerable program that can be tricked by a remote hacker into running malicious code. The problem is in versions of the open-source Exim message transfer agent (MTA).

Exim, which was initially developed at the University of Cambridge, may not be a program familiar to the average computer user, but it is far from uncommon.

Exim is often found running on Ubuntu and Debian servers (on the latter it’s configured to be the default MTA), and is the mail transport agent used in the ubiquitous cPanel web hosting control panel.

If you’re in any doubt consider this: a recent study found that Exim was running on over 56% of all of the publicly accessible mail servers on the internet.

Mail server chart

The serious buffer overflow vulnerability in Exim was discovered by security researcher Meh Chang on 5 February 2018, and a security update (version 4.90.1) was released five days later.

Chang fears that many vulnerable systems have not still not installed the patch, and “at least 400,000 servers are at risk.”

The risk is that a malicious attacker might exploit the buffer overflow in Exim’s handling of base64 authentication by sending out a boobytrapped mail message.

buggy code

According to Chang, such an attack could be used to run arbitrary code or as part of a denial-of-service attack.

“Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length.”

Exim’s team believe that exploiting the flaw is non-trivial, although Chang has created proof-of-concept exploit code which targets Exim’s SMTP daemon.

Clearly this is not a threat which should be ignored. IT staff responsible for maintaining the security of servers should update their installation of Exim as (Read more...)