On November 25, 2017, Phil Pennock announced that the latest version of Exim fixed two vulnerabilities. These vulnerabilities can be exploited to start a remote code execution (RCE) attack, with a high level of security risk.
See Introduction to Exim for more information about Exim.
See the following for more information about the vulnerability.
CVE-2017-16943 and CVE-2017-16944
- CVE-2017-16943: Exim remote command execution vulnerability
- CVE-2017-16944: Exim DoS vulnerability
Remote attackers can craft BDAT commands to run arbitrary code on the SMTP server. The research personnel also publish the PoC code written by using Python. Anyone can run code on the vulnerable Exim server.
The remote attacker can force the code to run infinitely until the Exim server is suspended, even if the connection to the server is closed. This vulnerability is caused by the improper check on the mail end character ‘.’ when parsing the BDAT data header. The research personnel also provide the PoC code that causes the exhaustion and crash of the Exim server.
Condition and method of exploitation
The vulnerability can be remotely exploited through PoC.
Exim 4.88 and 4.89
Check whether any affected version of Exim is used.
How to fix or mitigate
chunking_advertise_hosts=to the Exim configuration file. That is, set the
chunking_advertise_hostsvalue to empty. This can disable ESMTP CHUNKING and BDAT, preventing the vulnerability from being exploited by attackers.
The latest version 4.89.1 has been released on the official website. Upgrade the software as soon as possible.
Exim is a message transfer agent (MTA) developed by Philip Hazel at the University of Cambridge for the use of mail routing, forwarding, and delivering. It can run on most Unix-like systems, such as Solaris, AIX, Linux, and macOS. Compared with other MTAs, Exim is more flexible. It supports string expansion, and provides the functions such as condition judgment and character conversion.