Exim is a message transfer agent (MTA) which runs on Unix-like systems. Exim is widely in use as a mail server. According to search results on Shodan, there are 5 million servers running Exim. These servers can be secure by using a Vulnerability Management Software.
A critical remote code execution vulnerability was discovering in Exim Server by Zerons. All the Exim servers accepting TLS connections are deeming to be vulnerable. Both GnuTLS and OpenSSL-based versions are affecting. This vulnerability allows an unauthenticated, remote attacker to execute programs with root privileges on all Exim servers that accept TLS connections. Vulnerability Management Tool can resolve these issues. The vulnerability is assigned with CVE-2019-15846.
The advisory explains that the Exim server vulnerability can be in exploitation by sending an SNI that ends with a backslash-null sequence during the initial TLS handshake. SNI stands for Server Name Indication, which facilitates the usage of different certificates for different servers running on the same IP address and TCP port number. The flaw is mainly due to a ‘Buffer Overflow’ in the SMTP Delivery process. A server with the default runtime configuration can be exploiting by sending crafted Server Name Indication (SNI) data during a TLS negotiation. A craft client TLS certificate can be in use to exploit the vulnerability in all other configurations. The ‘spool_read_header()‘ runs as root; therefore, the flaw is remotely exploitable with root privileges.
Qualys Analysis:
Qualys mentions in its analysis that the ‘string_unprinting()’ and ‘string_interpret_escape()’ functions are problematic. But, there is another flaw in ‘string_printing()‘ function which actually triggers the flaw in string_unprinting()’ and ‘string_interpret_escape()’. The code in ‘string_printing()’ fails to escape the escaping character(backslash) and hence accepts a sni ending with a backslash-null sequence. The destination buffer is allocated right after the source buffer as the SNI is read from the spool via string_unprinting(string_copy()) where both string_unprinting() and string_copy() use store_get(). When the end of the source buffer is reaching, the characters overflow into the destination buffer leading to a heap overflow, which is under the direct control of the attacker.
In order to carry out remote code execution, the out-of-bounds read is transforming into an out-of-bounds write which can, in turn, be of use to overwrite headers of free malloc chunks. Increasing the size of this malloc leads to overlapping the new malloc with the already-allocated malloc chunks. This can be of use to overwrite large heap parts with arbitrary data. The ‘spool_read_header()‘ is of use to copy data into the malloc. But ‘spool_read_header() runs as root; therefore, the Exim server vulnerability flaw is remotely exploitable with root privileges.
A PoC exists for this vulnerability but has not published by Qualys. Qualys has also discovered and reported three other bugs, including the unescaped backslash in the ‘string_printing()‘ function. Exim has released fixed versions for this vulnerability.
This vulnerability is easily exploitable and an attacker can access the root remotely. That demands system administrators update the systems running Exim servers to the latest versions without delay.
Affected Products by CVE-2019-15846:
EXIM version 4.92.1 and before.
Impact of Exim Server Vulnerability:
A remote unauthenticated attacker can execute programs with root privileges.
Solution for CVE-2019-15846:
Please refer to this KB Article, which is now replaced by KB Article, to apply the patches using SanerNow