Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17434.
The vulnerability is located in the SMTP service listening by default on TCP port 25, in the authentication (AUTH) handling mechanism. The vulnerability results from lack of proper validation of data supplied by the user, leading to an out-of-bounds write (CWE-787). An attacker can send a specially crafted SMTP packet, causing memory overwrite outside the buffer boundaries and taking control over the process execution flow.
An attacker can execute arbitrary code in the context of the Exim service account, which in practice may mean complete takeover of the mail server. Possible consequences include breach of confidentiality, integrity, and system availability.
Apply patches available from the vendor according to the references. As a temporary workaround, consider restricting access to TCP port 25 only to trusted IP addresses using a firewall and monitoring anomalous SMTP connections.
Exim — versions indicated in the vendor references (vulnerability identified as ZDI-CAN-17434 / ZDI-23-1469)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExim
APPExim< 4.96.1
Related vulnerabilities
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is...
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in delive...
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handc...
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attack...
Exim: use-after-free w parsowaniu BDAT — zdalne wykonanie kodu