The remote root hole in exim4 is painful

Sunday, 12 December 2010

Recently I noticed a report of an alleged remote root security compromise of a machine, via the exim mailserver.

At the time I wasn't sure how seriously to take it, but I followed updates on the thread and it soon became clear that there was a major problem on our hands.

It later became obvious that there were two problems:

CVE-2010-4344

A remote buffer overflow, allowing the execution of arbitrary code as the user Debian-exim.

CVE-2010-4345

A privilege escelation allowing the attacker to jump from running code as Debian-exim to running code as root.

Trivial exploits are floating around the internet - and we were seeing this bug be exploited in the wild as early as yesterday afternoon.

Although I can feel somewhat smug that my own personal server is running qpsmtpd ahead of exim it's still a wake-up call, and this hole has the potential to significantly expand available botnets - it is probably only a matter of days hours until we see worms taking advantage of the flaw.

ObPlug: I've put together an updated version of exim4 for etch - if you're still running etch then you don't have any official security support (timely upgrading is obviously preferred) and it might be useful to have more folk pointed at that..

ObQuote: "We're all going to die down here" - Resident Evil.

| 7 comments.

 

Comments On This Entry

[gravitar] Iain

Submitted at 11:56:09 on 12 december 2010

> ObPlug: I've put together an updated version of exim4 for etch

You are a gentleman, sir, and a scholar.

[gravitar] Tim Dobson

Submitted at 12:33:03 on 12 december 2010

Oh, this does look like fun! :P

[gravitar] niq

Submitted at 13:08:57 on 12 december 2010

Last time I looked at mailservers with an open mind I dismissed exim because it involved running a 'net-facing daemon as a privileged user. Qmail and later postfix had demonstrated that we can do better!

Do I take it nothing significant has changed?

[author] Steve Kemp

Submitted at 13:23:32 on 12 december 2010

Iain - I'm just glad if it helps.

Tim - Get to work!

Niq - Exim4 is still monolithic, and the same as it was years ago. But here is not really the place to debate about which MTA is best.

[gravitar] @ndy

Submitted at 16:42:00 on 12 december 2010

Hi,

Thanks ever so much for this.

@

[gravitar] Fredrik

Submitted at 19:42:22 on 12 december 2010

Thanks for updated exim etch package.

[gravitar] Matthew W.S. Bell

Submitted at 00:29:17 on 13 december 2010

Affects <4.70.

 

Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags