Number: AL17-013
Date: 28 November 2017
Purpose
The purpose of this alert is to bring attention to recently disclosed vulnerabilities in Exim Internet Mailer.
Assessment
CCIRC has become aware of two vulnerabilities in Exim Internet Mailer version 4.88 and 4.89 that allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
Suggested Action
Due to the potential risk presented by this vulnerability, CCIRC recommends that system administrators monitor for the developer released security fix. Additional mitigation advice has been published by the vendor.
Furthermore, CCIRC is providing a Suricata rule to detect BDAT command that attempt to exploit those vulnerabilities.
alert smtp any any -> $HOME_NET any (msg: "[PT OPEN] Exim 4.88, 4.89 UAF RCE Attempt (CVE-2017-16943)"; flow: established, to_server; content: "BDAT"; content: "BDAT"; within: 10; pcre: "/BDAT\s*\D[^\n\r]*[\n\r][^\n\r]{100}/"; reference: cve, 2017-16943; reference: url, bugs.exim.org/show_bug.cgi?id=2199; classtype: attempted-admin; sid: 10002280; rev: 2; )
References: