Exim string_format() buffer overflow

2010-12-13T00:00:00
ID VU:682457
Type cert
Reporter CERT
Modified 2010-12-13T14:29:00

Description

Overview

The Exim mail server contains a buffer overflow that could allow a remote attacker to execute arbitrary code on an affected system.

Description

Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. The internal string handling functions of the Exim software contain a function called string_format(). The version of this function included with Exim versions prior to 4.70 contains a flaw that can result in a buffer overflow. An attacker can exploit this vulnerability by crafting message headers that are subsequently supplied to Exim logging functions.

Note: this vulnerability has been reported being exploited in the wild.


Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the Exim server. A separate vulnerability in Exim could then allow the attacker to escalate privileges to root.


Solution

Apply an update

Users who obtain Exim from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.

This vulnerability is reportedly addressed in Exim version 4.70. Users of Exim from the original source distribution should upgrade to this version or later, as appropriate. Users who are unable to upgrade are encouraged to apply the following patch from the Exim developers:
<<http://git.exim.org/exim.git/commitdiff/24c929a2>>


Vendor Information

682457

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Debian GNU/Linux

Updated: December 10, 2010

Statement Date: December 10, 2010

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://lists.debian.org/debian-security-announce/2010/msg00181.html>

__ SUSE Linux

Updated: December 13, 2010

Statement Date: December 13, 2010

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.html>

__ Ubuntu

Updated: December 13, 2010

Statement Date: December 11, 2010

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://www.ubuntu.com/usn/usn-1032-1>

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html>
  • <http://www.exim.org/lurker/message/20101210.164935.385e04d0.en.html>
  • <http://bugs.exim.org/show_bug.cgi?id=787>
  • <http://git.exim.org/exim.git/commitdiff/24c929a2>
  • <http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html>
  • <https://bugzilla.redhat.com/show_bug.cgi?id=661756>

Acknowledgements

This vulnerability was discovered as a result of its exploitation in the wild. Sergey Kononenko provided confirmation and public analysis.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:* | CVE-2010-4344
---|---
**Severity Metric:
| 19.77
*Date Public:
| 2010-12-07
Date First Published: | 2010-12-13
Date Last Updated: | 2010-12-13 14:29 UTC
Document Revision: | 8