The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Exim

vulnerability alert CVE-2018-6789

Exim: buffer overflow

Synthesis of the vulnerability

An attacker can generate a buffer overflow of Exim, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Exim, Fedora, openSUSE Leap, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: internet client.
Creation date: 12/02/2018.
Identifiers: CERTFR-2018-ALE-004, CVE-2018-6789, DLA-1274-1, DSA-4110-1, FEDORA-2018-25a7ba3cb6, FEDORA-2018-5aec14e125, openSUSE-SU-2018:0468-1, USN-3565-1, VIGILANCE-VUL-25271.

Description of the vulnerability

An attacker can generate a buffer overflow of Exim, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-16944

Exim: denial of service via ESMTP CHUNKING

Synthesis of the vulnerability

An attacker can generate a fatal error via ESMTP CHUNKING of Exim, in order to trigger a denial of service.
Impacted products: Debian, Exim, Fedora, Ubuntu.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 27/11/2017.
Identifiers: 2201, CVE-2017-16944, DSA-4053-1, FEDORA-2017-0032baa7d7, FEDORA-2017-0053bb9719, USN-3493-1, USN-3499-1, VIGILANCE-VUL-24537.

Description of the vulnerability

An attacker can generate a fatal error via ESMTP CHUNKING of Exim, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-16943

Exim: use after free via ESMTP CHUNKING

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via ESMTP CHUNKING of Exim, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Exim, Fedora, openSUSE Leap, Ubuntu.
Severity: 4/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Creation date: 27/11/2017.
Identifiers: 2199, CERTFR-2017-ALE-017, CVE-2017-16943, DSA-4053-1, FEDORA-2017-0032baa7d7, FEDORA-2017-0053bb9719, openSUSE-SU-2017:3220-1, USN-3493-1, USN-3499-1, VIGILANCE-VUL-24536.

Description of the vulnerability

An attacker can force the usage of a freed memory area via ESMTP CHUNKING of Exim, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-1000369

Exim: memory corruption via Stack Clash

Synthesis of the vulnerability

An attacker can generate a memory corruption via Stack Clash of Exim (with the -p option to extend the allocated memory), in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Exim, Fedora, Junos Space, openSUSE Leap, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 20/06/2017.
Revision date: 20/06/2017.
Identifiers: CERTFR-2017-AVI-365, CVE-2017-1000369, DLA-1001-1, DSA-3888-1, FEDORA-2017-f5177f3a16, JSA10824, JSA10826, openSUSE-SU-2017:1625-1, openSUSE-SU-2017:2289-1, USN-3322-1, VIGILANCE-VUL-23007.

Description of the vulnerability

An attacker can generate a memory corruption via Stack Clash of Exim (with the -p option to extend the allocated memory), in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-10140

Berkeley DB: privilege escalation via a DB_CONFIG file

Synthesis of the vulnerability

An attacker can bypass restrictions via DB_CONFIG of Berkeley DB, in order to escalate his privileges.
Impacted products: Debian, Exim, Fedora, Berkeley DB, Postfix, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 14/06/2017.
Identifiers: CVE-2017-10140, DLA-1135-1, DLA-1136-1, DLA-1137-1, FEDORA-2017-014d67fa9d, FEDORA-2017-372bb1edb3, USN-3489-1, USN-3489-2, VIGILANCE-VUL-22972.

Description of the vulnerability

An attacker can create e DB_CONFIG file for Berkeley DB in the start forlder of a privileged process, in order to tamper with the database parameters.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-9963

Exim: information disclosure via DKIM Signing Key

Synthesis of the vulnerability

An attacker can read Exim logs, in order to obtain the DKIM signature key.
Impacted products: Debian, Exim, openSUSE Leap, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 16/12/2016.
Identifiers: CVE-2016-9963, DLA-762-1, DSA-3747-1, openSUSE-SU-2017:2289-1, USN-3164-1, VIGILANCE-VUL-21401.

Description of the vulnerability

An attacker can read Exim logs, in order to obtain the DKIM signature private key.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-1531

Exim: privilege escalation via perl_startup

Synthesis of the vulnerability

A local attacker can use Exim configured with perl_startup, in order to escalate his privileges.
Impacted products: Debian, Exim, Fedora, openSUSE, openSUSE Leap, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 03/03/2016.
Identifiers: CVE-2016-1531, DSA-3517-1, FEDORA-2016-0e3ca94d88, FEDORA-2016-e062971917, openSUSE-SU-2016:0721-1, openSUSE-SU-2017:2289-1, USN-2933-1, VIGILANCE-VUL-19083.

Description of the vulnerability

The Exim product uses the "perl_startup" configuration directive, which can be used to run code in Perl language.

However, environment variables are not filtered. If Exim is installed suid root, a local attacker can thus pass variable to Perl, in order to gain root privileges.

A local attacker can therefore use Exim configured with perl_startup, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-0235

glibc: buffer overflow of gethostbyname, GHOST

Synthesis of the vulnerability

An attacker can for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code. Several programs using the gethostbyname() function are vulnerable with a similar attack vector.
Impacted products: Arkoon FAST360, GAiA, CheckPoint IP Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint VSX-1, Cisco ASR, Cisco Catalyst, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco CUCM, XenServer, Clearswift Email Gateway, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Exim, BIG-IP Hardware, TMOS, HPE BSM, HP Operations, Performance Center, Junos Space, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, openSUSE, Oracle Communications, Palo Alto Firewall PA***, PAN-OS, PHP, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, RHEL, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, WordPress Core.
Severity: 4/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet server.
Creation date: 27/01/2015.
Revision date: 27/01/2015.
Identifiers: 198850, 199399, c04577814, c04589512, CERTFR-2015-AVI-043, cisco-sa-20150128-ghost, cpujul2015, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CTX200437, CVE-2015-0235, DSA-3142-1, ESA-2015-030, ESA-2015-041, GHOST, HPSBGN03270, HPSBGN03285, JSA10671, K16057, KM01391662, MDVSA-2015:039, openSUSE-SU-2015:0162-1, openSUSE-SU-2015:0184-1, PAN-SA-2015-0002, RHSA-2015:0090-01, RHSA-2015:0092-01, RHSA-2015:0099-01, RHSA-2015:0101-01, RHSA-2015:0126-01, SB10100, sk104443, SOL16057, SSA:2015-028-01, SSA-994726, SUSE-SU-2015:0158-1, USN-2485-1, VIGILANCE-VUL-16060, VU#967332.

Description of the vulnerability

The glibc library provides two functions to obtain the IP address of a server from its DNS name:
  struct hostent *gethostbyname(const char *name);
  struct hostent *gethostbyname2(const char *name, int af);

For example:
  he = gethostbyname("www.example.com");

These functions also accept to directly process an IP address:
  he = gethostbyname("192.168.1.1");

However, a malformed IPv4 address, which is too long such as 192.168.111111.1 (more than 1024 byte long) triggers an overflow in the __nss_hostname_digits_dots() function.

An attacker can therefore for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code.

Several programs using the gethostbyname() function are vulnerable (exim, php, pppd, procmail) with a similar attack vector. The following programs are apparently not vulnerable: apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, squid, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-2972

Exim: code execution via Double Expansion

Synthesis of the vulnerability

A local attacker can edit a configuration file he has access to, in order to execute code with Exim privileges.
Impacted products: Exim, Fedora, openSUSE, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user shell.
Creation date: 22/07/2014.
Identifiers: CVE-2014-2972, FEDORA-2014-8803, FEDORA-2014-8865, openSUSE-SU-2014:0983-1, openSUSE-SU-2014:0986-1, USN-2933-1, VIGILANCE-VUL-15086.

Description of the vulnerability

Exim configuration files use variables which are expansed.

However, variables linked to mathematical operations are expansed twice, and dangerous commands are not forbidden on the second time.

A local attacker can therefore edit a configuration file he has access to, in order to execute code with Exim privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-2957

Exim: code execution via EXPERIMENTAL_DMARC

Synthesis of the vulnerability

An attacker can send a malicious email to Exim compiled with EXPERIMENTAL_DMARC, in order to execute code.
Impacted products: Exim, openSUSE.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 30/05/2014.
Identifiers: CVE-2014-2957, openSUSE-SU-2014:0983-1, openSUSE-SU-2014:0986-1, VIGILANCE-VUL-14815.

Description of the vulnerability

The DMARC (Domain-based Message Authentication, Reporting & Conformance) feature is used to fight spam.

The Exim messaging server can be compiled with EXPERIMENTAL_DMARC. However, in this case, the expand_string() function is used to analyze the From header, and then data are injected in a configuration command.

An attacker can therefore send a malicious email to Exim compiled with EXPERIMENTAL_DMARC, in order to execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Exim: