Exim Buffer Overflow RCE Vulnerability (CVE-2018-6789) – What You Need to Know
On February 10, the Unix-based email server Exim released an update to address a heap buffer overflow vulnerability that can be used by an unauthenticated attacker to remotely execute arbitrary code. The flaw, assigned CVE-2018-6789, is noted to exist in all versions of Exim, prior to their latest release, 4.90.1, which means the attack surface potential is very wide. A quick search on Shodan yields more than 6 million results.
Vulnerability details
The vulnerability was originally discovered by DEVCORE, and details were published on their blog on March 6. The vulnerability is due to a flaw in the b64decode buffer length in the base64d() function. Due to an off-by-one calculation mistake, heap memory can be overwritten when parsing an invalid base64 string leading to critical data being overwritten.
As base64 decoding is a widely used function, and since the byte is user-controlled, this increases the ease of exploitation, which can be utilized for remote code execution.
Identificación de los sistemas afectados
To detect systems affected by this critical flaw, Tenable has released Nessus® plugins for Tenable.io Vulnerability Management, SecurityCenter and Nessus Pro. Additionally, Tenable has released passive detection via Nessus Network Monitor, which may be used with Tenable.io Vulnerability Management to detect the vulnerability passively on the network. Tenable.io Container Security has also been updated to detect the Exim off-by-one RCE vulnerability in Docker container images. The following table summarizes Tenable's coverage.
|
Plugin ID |
Descripción |
|
107149 |
Exim < 4.90.1 Buffer Overflow RCE Vulnerability |
|
700223 (Nessus Network Monitor) |
Exim < 4.90.1 Remote Code Execution |
|
106722 |
Debian DLA-1274-1 : exim4 security update |
|
106728 |
Debian DSA-4110-1 : exim4 - security update |
|
107007 |
Fedora 26 : exim (2018-25a7ba3cb6) |
|
107009 |
Fedora 27 : exim (2018-5aec14e125) |
|
106733 |
FreeBSD : exim -- a buffer overflow vulnerability, remote code execution (316b3c3e-0e98-11e8-8d41-97657151f8c2) |
|
106888 |
openSUSE Security Update : exim (openSUSE-2018-170) |
|
106791 |
Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : exim4 vulnerability (USN-3565-1) |
|
107178 |
GLSA-201803-01 : Exim: Multiple vulnerabilities |
What should you do?
If you’re running a version of Exim prior to 4.90.1, make sure you update to the most current release. Exim notes that all versions of Exim prior to 4.90.1 are now obsolete and that 3.x releases are also obsolete and should not be used.
Obtenga más información
- Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
- Get a free 60-day trial of Tenable.io Vulnerability Management
- DEVCORE blog details
- Exim ChangeLog
- Exim CVE-2018-6789 Advisory
Artículos relacionados
Foreshadow: Speculative Execution Attack Targets Intel SGX
August 14, 2018A flaw in Intel’s Software Guard Extensions implementation allows an attacker to access data stored in memory of other applications running on the same host, without the need for privilege escalation....
Advisory: Red Hat DHCP Client Command Injection Trouble
May 17, 2018On May 15, Red Hat disclosed a critical vulnerability in a script included in NetworkManager for the Dynamic Host Configuration Protocol (DHCP) client on Red Hat Enterprise Linux (RHEL). The vulnerabi...
Advisory: Intel...Simply Misunderstood?
May 11, 2018To close numerous security gaps, Microsoft, Adobe, Apple, Red Hat, Xen, VMware and other vendors have released a number of patches in the first 10 days of May. We discussed some of these in our recent...
Cybersecurity Snapshot: CISA Warns Hospitals about Black Basta, as Tenable Study Finds Cloud-Related Breaches Pervasive
May 17, 2024Find out why healthcare organizations must beware of the Black Basta ransomware group. Meanwhile, a Tenable study found that 95% of surveyed organizations suffered a cloud-related breach, and offers insights for boosting cloud security. Plus, a Cloud Security Alliance report delves into how AI systems can create risky gaps in your cloud environment. And much more!
Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers
May 16, 2024Tenable Cloud Security Research Team has recently discovered that Kinsing malware, known for targeting Linux-based cloud infrastructures, exploits Apache Tomcat servers with new advanced stealth techniques. Explore our analysis and the indicators of compromise in this report.
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
May 14, 2024Microsoft addresses 59 CVEs in its May 2024 Patch Tuesday release with one critical vulnerability and three zero-day vulnerabilities, two of which were exploited in the wild.
- Plugins