HELO, Is It Me You’re Exploiting For?

October 1, 2019

Another month, another pre-auth RCE in Exim, an open source mail server for Unix systems. This time, it’s CVE-2019-16928, a heap-based buffer overflow reported this weekend.

Why it matters: If you heard about the other Exim bug from mid-September, you probably did the smart thing and patched to the latest version (4.92+). Regrettably, this new vuln was only introduced in 4.92 (from earlier this year), so most Exim installations will be vulnerable to this bug. Sad trombone noise.

Oopsie: The buffer overflow is in the function string_vformat(), which formats strings and checks their lengths. If one of those strings is too long, then it can lead to an overflow. Indeed, the known exploit uses an “extraordinarily long” extended HELO (EHLO) string to crash the Exim process. EHLO is an extended SMTP command used to identify an email server that is trying to say hello to another email server. This is how sending an email starts. 

The bottom line: This is basically a super embarrassing bug that realistically doesn’t pose much risk. There are patches out for Debian, Fedora, and Ubuntu already, and no exploit publicly available as of yet — so you don’t really need to hit the panic button. Upgrade Exim again (to 4.92.3) and hope they didn’t accidentally introduce another RCE this time. Or maybe consider using a mail server that doesn’t have a remotely exploitable vulnerability every few months.

For Capsule8 customers, you’re covered already by our memory corruption-related detection strategies, though ask your rep about our Exim execution whitelist, too.

The Capsule8 Labs team conducts offensive and defensive research to understand the threat landscape for modern infrastructure and to continuously improve Capsule8’s attack coverage.