Some months ago a serious vulnerability on EXIM has been disclosed (CVE-2017-16943), and in the last hours Meh Chang (from devco.re) discovered a buffer overflow that allows remote command execution on this MTA.

As in March 2017, the total number of Internet’s email servers running Exim has been estimated over 560,000, that corresponds to 56% of all Mail (MX) Server online.

From Exim advisory:

CVE-2018-6789
=============

There is a buffer overflow in base64d(), if some pre-conditions are met.
Using a handcrafted message, remote code execution seems to be possible.

A patch exists already and is being tested.

Currently we're unsure about the severity, we *believe*, an exploit
is difficult. A mitigation isn't known.

From Devco.re report:

Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length. In addition, this byte is controllable, which makes exploitation more feasible.
Base64 decoding is such a fundamental function and therefore this bug can be triggered easily, causing remote code execution.

Which versions of EXIM are vulnerable?

All versions before EXIM 4.90.1.

What should I do?

Obviously, you must upgrade your exim4 packages.

Debian/Ubuntu

  • On Debian oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5.
  • On Debian stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3.
  • Ubuntu user should update as follows:
    • Ubuntu 14.04 LTS (Trusty Tahr): Version 4.82-3ubuntu2.4
    • Ubuntu 16.04 LTS (Xenial Xerus): Version 4.86.2-2ubuntu2.3
    • Ubuntu 17.10 (Artful Aardvark): Version 4.89-5ubuntu1.3
    • Ubuntu 18.04 LTS (Bionic Beaver): Version 4.90.1-1ubuntu1

Simply run apt to update the system:

$ sudo apt update
$ sudo apt upgrade

After, you can verify that the pacth has been correctly installed:

$ dpkg --list exim4*
$ debsecan | grep -i CVE-2018-6789

CentOS

CentOS and RHEL 6/7 user should upgrade their server using yum:

$ sudo yum update

There won’t be any fix for CentOS/RHEL version 5.x or older.

Fedora users should run the dnf command:

$ sudo dnf update

Finally, you can verify patch installation with this command:

$ rpm -q --changelog exim | grep CVE-2018-6789

References