Exim upgrade to 4.92.3 needed for multiple CVEs

Brian Inglis Brian.Inglis@SystematicSw.ab.ca
Fri Oct 4 08:16:00 GMT 2019

On 2019-09-20 11:10, Brian Inglis wrote:
> Exim official upgrade to 4.92.2 urgently needed to include patch for published CVE:
> https://securityboulevard.com/2019/09/sysadmins-scramble-to-secure-5m-exim-email-servers/
> https://exim.org/static/doc/security/CVE-2019-15846.txt


Since the "current" 4.86 release in 2015-10, another CVE another upgrade required:

Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability
than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in
string.c involving a long EHLO command.

Also earlier this year:

Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via
a trailing backslash.

Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in
some unusual configurations that use the ${sort} expansion for items that can be
controlled by an attacker (e.g., $local_part or $domain).

A flaw was found in the way exim validated recipient addresses. A remote
attacker could use this flaw to execute arbitrary commands on the exim server
with the permissions of the user running the application.

and last:

An issue was discovered in the base64d function in the SMTP listener in Exim
before 4.90.1. By sending a handcrafted message, a buffer overflow may happen.
This can be used to execute code remotely.


The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
allows remote attackers to cause a denial of service (infinite loop and stack
exhaustion) via vectors involving BDAT commands and an improper check for a '.'
character signifying the end of the content, related to the bdat_getc function.

The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
allows remote attackers to execute arbitrary code or cause a denial of service
(use-after-free) via vectors involving BDAT commands.
if you are running Exim 4.88 or newer, then in the main section of your Exim
configuration, set:
chunking_advertise_hosts =
This disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.

Exim supports the use of multiple "-p" command line arguments which are
malloc()'ed and never free()'ed, used in conjunction with other issues allows
attackers to cause arbitrary code execution. This affects exim version 4.89 and
earlier. Please note that at this time upstream has released a patch, but it is
not known if a new point release is available that addresses this issue at this
Exim itself is not vulnerable to privilege escalation, but this particular flaw
in exim can be used by the stackguard vulnerability
(https://access.redhat.com/security/vulnerabilities/stackguard) to achieve
privilege escalation.

It was found that Exim leaked DKIM signing private keys to the "mainlog" log
file. As a result, an attacker with access to system log files could potentially
access these leaked DKIM private keys.	

Exim before 4.86.2, when installed setuid root, allows local users to gain
privileges via the perl_startup argument.

Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

More information about the Cygwin-apps mailing list