{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2018-006.pdf" }, "title": "Remote Code Execution Vulnerability in Exim", "serial_number": "2018-006", "publish_date": "07-03-2018 14:07:00", "description": "On February 05, 2018, Devcore Security Consulting discovered a buffer overflow vulnerability in the base64 decode function of Exim message transfer agent. On March 06, 2018, Exim released a security advisory about the issue, confirming potential remote code execution that could be triggered by sending a handcrafted message. The issue has been fixed in version 4.90.1 of Exim and no alternative mitigation is known.", "url_title": "2018-006", "content_markdown": "---\ntitle: 'Remote Code Execution Vulnerability in\u00a0Exim'\nversion: '1.0'\nnumber: '2018-006'\ndate: 'March 07, 2018'\n---\n\n_History:_\n\n* _07/03/2018 --- v1.0: Initial publication_\n\n# Summary\n\nOn February 05, 2018, __Devcore Security Consulting__ discovered a buffer overflow vulnerability in the base64 decode function of __Exim__ message transfer agent [1]. On March 06, 2018, Exim released a security advisory about the issue [2], confirming potential remote code execution that could be triggered by sending a handcrafted message. The issue has been fixed in version 4.90.1 of Exim and no alternative mitigation is known.\n\n# Technical Details\n\nThe vulnerability received the following CVE number: CVE-2018-6789 [3].\n\nThe vulnerability is due to a calculation mistake of decode buffer length in the base64 decode function of Exim. It can be exploited by sending an invalid base64 string to the function. If the string is larger than the buffer, Exim will consume more bytes than the allocated buffer, allowing overwrites of critical data. As the bytes are controllable, the flaw may potentially be exploited for remote code execution.\n\n# Products Affected\n\nAll versions of __Exim before 4.90.1__ are affected by the vulnerability.\n\n# Recommendations\n\nAs there is no mitigation known for this vulnerability, is it highly recommended to update Exim to version 4.90.1.\n\n# References\n\n[1] \n\n[2] \n\n[3] \n", "content_html": "

History:

  • 07/03/2018 --- v1.0: Initial publication

Summary

On February 05, 2018, Devcore Security Consulting discovered a buffer overflow vulnerability in the base64 decode function of Exim message transfer agent [1]. On March 06, 2018, Exim released a security advisory about the issue [2], confirming potential remote code execution that could be triggered by sending a handcrafted message. The issue has been fixed in version 4.90.1 of Exim and no alternative mitigation is known.

Technical Details

The vulnerability received the following CVE number: CVE-2018-6789 [3].

The vulnerability is due to a calculation mistake of decode buffer length in the base64 decode function of Exim. It can be exploited by sending an invalid base64 string to the function. If the string is larger than the buffer, Exim will consume more bytes than the allocated buffer, allowing overwrites of critical data. As the bytes are controllable, the flaw may potentially be exploited for remote code execution.

Products Affected

All versions of Exim before 4.90.1 are affected by the vulnerability.

Recommendations

As there is no mitigation known for this vulnerability, is it highly recommended to update Exim to version 4.90.1.

References

[1] https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/

[2] https://exim.org/static/doc/security/CVE-2018-6789.txt

[3] https://nvd.nist.gov/vuln/detail/CVE-2018-6789

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }