[SingCERT] Advisory on Exim Internet Mailer Vulnerabilities

Published on Thursday, 30 November 2017 18:09

Background

Exim is a popular internet mail message transfer agent that is widely used by Unix-like operating systems.
 
Two critical vulnerabilities (CVE-2017-16943 and CVE-2017-16944) have been discovered and publicly disclosed on 26 November 2017. These vulnerabilities could allow an attacker to execute malicious codes remotely on the affected systems.
 
CVE-2017-16943 is a use-after-free bug that affects Exim's feature which allows the breaking and sending of emails in multiple chunks.
 
CVE-2017-16944 is a denial of service (DoS) flaw caused by the improper checking for a '.' character to signify the end of an email when parsing the data header. This vulnerability is also exploitable via the chunking feature.
 
Affected Products include:

Exim Version 4.88 and 4.89
 
Impact

The first vulnerability (CVE-2017-16943) can be exploited, allowing an attacker to execute arbitrary codes remotely in the Simple Mail Transfer Protocol (SMTP) server by crafting a sequence of malicious commands. Upon successful execution, the attacker can control the server remotely to perform a variety of malicious tasks.
 
The second vulnerability (CVE-2017-16944) allows an attacker to hang Exim servers remotely by forcing them to run in an infinite loop, even if the connection is closed. This causes the program to crash and could be used to raise a resource-based DoS attack. 
 
Recommendations

System administrators are advised to apply this workaround in the main section of the Exim configuration immediately:
 
  • chunking_advertise_hosts =
     

    (The empty value after the equal sign turns off the vulnerable function)

Alternatively, system administrators can update Exim to version 4.89.1.
 
References

https://thehackernews.com/2017/11/exim-internet-mailer-flaws.html

http://securityaffairs.co/wordpress/66043/hacking/exim-unix-mailer-flaws.html

http://exploit.kitploit.com/2017/11/exim-489-bdat-denial-of-service.html