Exim Vulnerability CVE-2019-16928 Could Lead to Denial-of-Service and Remote Code Execution Attacks
A vulnerability involving the message transfer agent Exim — estimated to run roughly 57% of all email servers — has been discovered by security researchers from QAX-A-Team. Exploitation of the bug, assigned CVE-2019-16928, could result in threat actors being able to launch denial-of-service (DoS) or remote code execution (RCE) attacks.
The vulnerability is a result of a heap-based overflow error in string_vformat (string.c). According to Exim’s advisory, the vulnerability can be exploited by an attacker via an “extraordinary long Extended HELO (EHLO) string” meant to crash the process that is responsible for receiving the message. Exim coder Jeremy Harris, who called the vulnerability a “simple coding error” that resulted from not growing a string by enough, published a proof of concept showing an example of how it could be exploited.
Exim also notes that there might be other ways to exploit the vulnerable code. A post on Exim’s bug tracker revealed that RCE attacks are also a possibility.
A couple of other Exim vulnerabilities have made headlines the past few months. In June, threat actors were found to be targeting servers using Exim via the Watchbog trojan, while another bug (CVE-2019-15846) that could also lead to RCE attacks was discovered in September.
[READ: Jira and Exim vulnerabilities exploited by Watchbog to deliver cryptocurrency miners]
CVE-2019-16928 was introduced with Exim 4.92 and also affects versions 4.92, 4.92.1, and 4.92.2. Versions that predate 4.92 are not affected by the bug.
Exim users are advised to update to the latest version (4.92.3), which includes a fix that addresses CVE-2019-16928.
Security recommendations and Trend Micro solutions
Vulnerabilities in software are a common — and unfortunately unavoidable — occurrence. Organizations should always prioritize patching their software to the latest versions, especially if the update addresses critical vulnerabilities that, if exploited, could result in actual damage to the businesses. In this case, CVE-2019-16928 already has a patch that fixes the flaw and Exim has even offered a backported fix for organizations that cannot install the new version. Given Exim’s ubiquity, neglecting to patch vulnerable instances can lead to consequences that extend beyond the organization itself.
Furthermore, organizations can strengthen their overall security by using security products like the Trend Micro™ Deep Discovery™ solution, which provides detection, in-depth analysis, and proactive response to attacks that exploit vulnerabilities via specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect these attacks even without any engine or pattern update.
Trend Micro Deep Discovery Inspector, protects customers from attacks that exploit CVE-2019-16928 via the following rule:
- Rule ID 4246: Possible CVE-2019-16928 - Exim Buffer Overflow Exploit - SMTP (Request)
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases