Another potential RCE in Exim! Let’s update, folks!

Jeremy Harris, from Exim Development Team, has discovered a heap-based buffer overflow issue in all versions of Exim servers up to and including 4.92.1.

The vulnerability (CVE-2019-16928) could allow remote attackers to cause a denial of service or execute arbitrary code on a targeted Exim mail server using a specially crafted line in the EHLO command with the rights of the targeted user: currently the public PoC exploit for this vulnerability allows only crash the Exim process by sending a long string in the EHLO command, though other commands could also be used to potentially execute arbitrary code.

Is there a patch?

Yep! Exim maintainers released an urgent security update after publishing the early warning, giving system administrators an early head-up on its upcoming security patches:

Fix
===
***Download and build the fixed version 4.92.3*3**

    Tarballs: [https://ftp.exim.org/pub/exim/exim4/](https://ftp.exim.org/pub/exim/exim4/)
    Git:      [**https://github.com/Exim/exim.git**](https://ftp.exim.org/pub/exim/exim4/)
              - tag    exim-4.92.3
              - branch exim-4.92.3+fixes

The tagged commit is the officially released version. The +fixes branch
isn't officially maintained, but contains the security fix *and* useful
fixes.

If you can't install the above versions, ask your package maintainer for
a version containing the backported fix. On request and depending on our
resources we will support you in backporting the fix.

References

  • CVE-2019-16928
  • Public PoC exploit