Alert - Exim Internet Mail Vulnerabilities

Number: AL17-013
Date: 28 November 2017

Purpose

The purpose of this alert is to bring attention to recently disclosed vulnerabilities in Exim Internet Mailer.

Assessment

CCIRC has become aware of two vulnerabilities in Exim Internet Mailer version 4.88 and 4.89 that allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.

Suggested Action

Due to the potential risk presented by this vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. , CCIRC recommends that system administrators monitor for the developer released security fix. Additional mitigation advice has been published by the vendor.

Furthermore, CCIRC is providing a Suricata rule to detect BDAT command that attempt to exploit those vulnerabilities.

alert smtp any any -> $HOME_NET any (msg: "[PT OPEN] Exim 4.88, 4.89 UAF RCE Attempt (CVE-2017-16943)"; flow: established, to_server; content: "BDAT"; content: "BDAT"; within: 10; pcre: "/BDAT\s*\D[^\n\r]*[\n\r][^\n\r]{100}/"; reference: cve, 2017-16943; reference: url, bugs.exim.org/show_bug.cgi?id=2199; classtype: attempted-admin; sid: 10002280; rev: 2; )

References:

• https://git.exim.org/exim.git/commitdiff/4e6ae6235c68de243b1c2419027472d7659aa2b4
• https://bugs.exim.org/show_bug.cgi?id=2199
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16943