A serious security susceptibility has been exposed and repaired in the popular open-source Exim email server software, which could enable a remote attacker to only crash or possibly perform malevolent code on targeted servers.
Exim maintainers today issued a vital security update—Exim version 4.92.3—after publishing an early caution two days ago, giving system officers an early head-up on its forthcoming security fixes that impact all versions of the email server software from 4.92 up to and including then-latest version 4.92.2.
Exim is a broadly used, open source mail transfer agent (MTA) which runs almost 60% of the Internet’s email servers today for routing, delivering and receiving email messages.
Recognized as CVE-2019-16928 and exposed by Jeremy Harris of Exim Development Team, the susceptibility is a heap-based buffer overflow issue in string_vformat defined in string.c file of the EHLO Command Handler component.
The security fault could let remote attackers cause a denial of service (DoS) condition or perform random code on a targeted Exim mail server using a particularly crafted line in the EHLO command with the rights of the targeted user.
As per the Exim advisory, a presently known PoC exploit for this susceptibility lets one only crash the Exim process by sending a lengthy string in the EHLO command, though other commands could also be used to possibly perform arbitrary code.
In mid-year, Exim also repaired a critical remote command implementation susceptibility (CVE-2019-10149) in its email software that was vigorously misused in the wild by numerous groups of hackers to affect weak servers.
Thus, server administrators are highly advised to install the latest Exim 4.92.3 version at the earliest, since there is no known extenuation to briefly resolve this issue.
The team also says, “if you can’t install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources, we will support you in backporting the fix.”