Exim, the widely used, open-source mail transfer agent (MTA), released an urgent security update regarding Exim versions, up to and including 4.92.2. The vulnerability (CVE-2019-16928) is a heap-based buffer overflow (memory corruption) issue in string_vformat defined in string.c file of the EHLO Command Handler component, allowing hackers to trigger a denial of service on a targeted Exim server using a specifically crafted line in the EHLO command. According to Exim, there is a known PoC exploit for this vulnerability, which allows them to crash the Exim process.
What’s the Risk?
Much like the Exim vulnerability we wrote about just 3 weeks ago on Sept 9, this vulnerability allows attackers to remotely run malicious code with root privileges on the server. And like the Sept 9 CVE, since this level of access carries a massive risk and is likely to be exploited in short order, it was also given a 9.8 out of 10 on the CVE critical rating scale.
Once the mail server is compromised, hackers can go on to access everything else on the server, too – including certificates, databases, and credentials. This means that servers hosting multiple domains are more attractive targets. We took a look at about 2 million servers, and broke down the range of domains hosted to find that 26,553 servers host over 5 domains and 4,542 servers host over 25 domains:
Domains Hosted |
Total |
Less than 5 |
3,753,944 |
5 – 25 |
22,011 |
25 – 50 |
4,344 |
50 – 75 |
71 |
75 – 100 |
125 |
Greater than 100 |
2 |
Total |
3,780,497 |
Searching Censys for your affected servers
We searched the entire Internet to find all exposed Exim servers affected by this vulnerability. Specifically, we hunted for any servers running version 4.92.2 or earlier versions, which are affected by the CVE. Using our web search UI, you can use the following query (adding your domain name in the 2 placeholder spots) to determine what version you’re running:
Query:
https://censys.io/ipv4?q=%28465.smtp.tls.metadata.product%3A+exim+OR+587.smtp.starttls.metadata.product%3A+exim%29+AND+%28465.smtp.tls.tls.certificate.parsed.names%3A+%3CINSERT+DOMAIN+HERE%3E+OR+587.smtp.starttls.tls.certificate.parsed.names%3A+%3CINSERT+DOMAIN+HERE%3E%29
Censys Web Search UI:
Exim highly recommends that server administrators install the latest Exim 4.92.3 version as soon as possible, since there is no known mitigation to temporarily resolve this issue.