At least 400,000 servers are thought to be running a vulnerable program that can be tricked by a remote hacker into running malicious code. The problem is in versions of the open-source Exim message transfer agent (MTA). Exim, which was initially developed at the University of Cambridge, may not be a program familiar to the average computer user, but it is far from uncommon. Exim is often found running on Ubuntu and Debian servers (on the latter it's configured to be the default MTA), and is the mail transport agent used in the ubiquitous cPanel web hosting control panel. If you're in any doubt consider this: a recent study found that Exim was running on over 56% of all of the publicly accessible mail servers on the internet.
The serious buffer overflow vulnerability in Exim was discovered by security researcher Meh Chang on 5 February 2018, and a security update (version 4.90.1) was released five days later. Chang fears that many vulnerable systems have not still not installed the patch, and "at least 400,000 servers are at risk." The risk is that a malicious attacker might exploit the buffer overflow in Exim's handling of base64 authentication by sending out a boobytrapped mail message.
According to Chang, such an attack could be used to run arbitrary code or as part of a denial-of-service attack.
"Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length."
Exim's team believe that exploiting the flaw is non-trivial, although Chang has created proof-of-concept exploit code which targets Exim's SMTP daemon. Clearly this is not a threat which should be ignored. IT staff responsible for maintaining the security of servers should update their installation of Exim as a matter of priority to version 4.90.1 or later, regardless of the likelihood of the flaw being exploited or not. A patch has been available for the last month, and organisations which already have a regime of regular patching should already have addressed the vulnerability and have nothing to fear. And yet with at least 400,000 vulnerable systems still connected to the internet it seems there is every likelihood that there may be rich pickings for cybercriminals for months to come. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.