Open-source Exim remote attack bug: 400,000 servers still vulnerable, patch now

Many hosts running popular open-source email service Exim are still open to a remote code execution bug.
Written by Liam Tung, Contributing Writer

Video: US service provider survives largest DDoS attack in history

Admins are being urged to update email server program Exim, patched in February, to close a remote execution flaw.

All versions of the Exim message transfer agent (MTA) before version 4.90.1, released in early February, are vulnerable to the attack.

Meh Chang from security firm Devcore Security Consulting reported the bug to Exim developers on February 2, and a patch was released five days later. But Chang warns there are still at least 400,000 servers running a vulnerable version of Exim.

Exim is one of the email MTA services available to use with Ubuntu, while Exim4 is the default for Debian. Exim stands for EXperimental Internet Mailer and was developed at the University of Cambridge in the UK in 1995 for Unix systems as an alternative to Sendmail.

The vulnerability is due to a one-byte heap overflow in Exim's base64 decoding. Chang developed an exploit for it in Debian and Ubuntu that targeted the SMTP daemon of Exim and tricks its memory-management mechanism.

"Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length," wrote Chang.

"In addition, this byte is controllable, which makes exploitation more feasible. Base64 decoding is such a fundamental function and therefore this bug can be triggered easily, causing remote code execution."

Linux distributions were given early access to the patch and, according to Exim developers, by the time the vulnerability was made public they should have already built packages with the fixed version.

Exim's advisory notes that the remote execution of the flaw "seems to be possible" using a specially crafted message. Its timeline also notes that one of the distributions given restricted access to its security repository almost immediately broke the embargo.

Previous and related coverage

Linux creator Linus Torvalds: This is what drives me nuts about IT security

Torvalds explains why he gets angry with security people.

GitHub to devs: Now you'll get security alerts on flaws in popular software libraries

GitHub's new service will help developers clean up vulnerable project dependencies.

Purism adds open-source security firmware to its Linux laptop line

Purism, the Linux hardware vendor for users who want as much control as possible over their gear, has integrated Heads open-source CPU firmware into its PCs.

Editorial standards