Terror byte: 400k Exim servers still open to remote attack
Vulnerable versions of the email service are still being used worldwide.
Hundreds of thousands of Exim users are still at risk from a known vulnerability that allows hackers to conduct remote code execution (RCE) attacks, researchers have warned.
In February, Meh Chang from Devcore Security discovered a one-byte buffer overflow vulnerability in Exim’s base64 decode function.
According to the researcher, the vulnerability can be exploited to allow hackers to execute malicious code.
Chang reported the bug to Exim on February 2 and it was patched five days later.
But he warned that 400,000 servers are still running vulnerable versions of the message transfer agent (MTA).
He commented: “Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length.
“In addition, this byte is controllable, which makes exploitation more feasible. Base64 decoding is such a fundamental function and therefore this bug can be triggered easily, causing remote code execution.”
Exim wrote in an advisory: “There is a buffer overflow in base64d(), if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible.
“A patch exists already and is being tested.
“Currently we’re unsure about the severity, we *believe*, an exploit is difficult. A mitigation isn’t known.”
The flaw is present in all Exim releases before version 4.90.1.