Exim fails to properly handle trailing backslashes in string_interpret_escape()

Overview

Exim versions up to and including 4.92.1 do not properly handle trailing backslash characters in the string_interpret_escape() function. This function is used to handle peer distinguished names (DN) and Sever Name Indication (SNI) during a TLS negotiation. This vulnerability could allow a local or remote unauthenticated attacker to execute arbitrary code with root privileges.

Description

Exim is a message transfer agent (MTA) that can be used on Unix-like operating systems. All versions up to and including 4.92.1 of Exim do not properly handle trailing backslash characters in the string_interpret_escape() function, which is used to process peer DN and SNI during a TLS negotiation. In cases where the string being processed ends with a ‘\’ character, the vulnerable string_interpret_escape() function will interpret the string-terminating null byte as a value to be escaped, thus incrementing the string pointer to the byte after the string to be processed. If the attacker-provided data is crafted in a certain way, this out-of-bounds pointer can be leveraged to cause a heap overflow.

Exim installations configured to allow TLS connections, which can happen either via the SMTP STARTTLS command or via TLS-on-connect, can process attacker-provided data in the TLS SNI information. Exim installations that are configured to process client-provided certificates may also be exploitable via a crafted TLS peer DN.

---

Impact

By causing a vulnerable Exim server to process an SMTP email message, a local or remote unauthenticated attacker may be able to execute arbitrary code with root privileges.

---

Solution

Apply an update
This vulnerability is addressed in Exim 4.92.2. For further information see the Exim advisory for CVE-2019-15846.

---

Use ACLs to block attack attempts
The Exim advisory provides ACLs to deny email messages with trailing backslashes in TLS SNI or peer DN fields:

# to be prepended to your mail acl (the ACL referenced
# by the acl_smtp_mail main config option)
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}

Vendor Information

672565

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Exim Affected

Notified: September 06, 2019 Updated: September 06, 2019

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://www.exim.org/static/doc/security/CVE-2019-15846.txt&gt;
• <https://github.com/Exim/exim/tree/exim-4.92.2%2Bfixes/doc/doc-txt/cve-2019-15846&gt;

Ubuntu __ Affected

Notified: September 06, 2019 Updated: September 06, 2019

Statement Date: September 06, 2019

Status

Affected

Vendor Statement

Ubuntu has released updates for Exim that address CVE-2019-15846 in https://usn.ubuntu.com/4124-1/

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://usn.ubuntu.com/4124-1/&gt;

Arista Networks, Inc. __ Not Affected

Notified: September 06, 2019 Updated: September 06, 2019

Statement Date: September 06, 2019

Status

Not Affected

Vendor Statement

Arista products do not use the exim mail server

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS __ Not Affected

Notified: September 06, 2019 Updated: September 06, 2019

Statement Date: September 06, 2019

Status

Not Affected

Vendor Statement

CoreOS Container Linux is not vulnerable.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. __ Not Affected

Notified: September 06, 2019 Updated: September 09, 2019

Statement Date: September 09, 2019

Status

Not Affected

Vendor Statement

Even though the version of Exim as shipped with Red Hat Enterprise Linux 5 (only affected RedHat product includes the affected function), it does not expose the buffer overflow problem and is not affected by the remote code execution flaw.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Synology __ Not Affected

Notified: September 06, 2019 Updated: September 10, 2019

Statement Date: September 10, 2019

Status

Not Affected

Vendor Statement

Synology does not employ Exim for our products, including MailPlus [1] and Mail Station [2].

Vendor References

• http[1]
• <https://www.synology.com/solution/business_email_solution[2]&gt;
• <https://www.synology.com/dsm/packages/MailStation&gt;

Alpine Linux Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arch Linux Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Aspera Inc. Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Geexbox Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Micro Focus Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Tizen Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: September 06, 2019 Updated: September 06, 2019

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 20 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	7.8	E:POC/RL:OF/RC:C
Environmental	5.9	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <https://www.exim.org/static/doc/security/CVE-2019-15846.txt&gt;
• <https://ftp.exim.org/pub/exim/exim4/&gt;
• <https://github.com/Exim/exim.git&gt;
• <https://usn.ubuntu.com/4124-1/&gt;
• <https://github.com/Exim/exim/tree/exim-4.92.2%2Bfixes/doc/doc-txt/cve-2019-15846&gt;
• <https://git.exim.org/exim.git/commit/2600301ba6dbac5c9d640c87007a07ee6dcea1f4&gt;
• <https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-are-currently-being-attacked/&gt;
• <https://www.bleepingcomputer.com/news/security/critical-exim-tls-flaw-lets-attackers-remotely-execute-commands-as-root/&gt;

Acknowledgements

Thanks to Zerons for the initial report to Exim and to Qualys for providing additional analysis.

This document was written by Will Dormann, Laurie Tyzenhaus and Madison Oliver.

Other Information

CVE IDs:	CVE-2019-15846
Date Public:	2019-09-06 Date First Published: