The Zero Day Initiative (ZDI) project has disclosed information about unpatched (0-day) vulnerabilities (CVE-2023-42115, CVE-2023-42116, CVE-2023-42117) in the Exim mail server, allowing you to remotely execute your code on the server with the rights process that accepts connections on network port 25. No authentication is required to carry out the attack.
The first vulnerability (CVE-2023-42115) is caused by an error in the smtp service and is associated with the lack of proper checks on the data received from the user during the SMTP session and used to calculate the buffer size. As a result, the attacker can achieve a controlled write of his data to a memory area beyond the boundary of the allocated buffer.
The second vulnerability (CVE-2023-42116) is present in the NTLM request handler and is caused by copying data received from the user into a fixed-size buffer without the necessary checks for the size of the information being written.
The third vulnerability (CVE-2023-42117) is present in the smtp process accepting connections on TCP port 25 and is caused by a lack of input validation, which can lead to user-supplied data being written to a memory area outside the allocated buffer.
Vulnerabilities are marked as 0-day, i.e. remain unfixed, but the ZDI report states that the Exim developers were notified of the problems in advance. The last change to the Exim codebase was made two days ago and it is not yet clear when the problems will be fixed (distribution manufacturers have not yet had time to react since the information was disclosed without details several hours ago). Currently, Exim developers are preparing to release a new version 4.97, but there is no exact information about the time of its publication yet. The only method of protection currently mentioned is restricting access to the Exim-based SMTP service.
In addition to the above-mentioned critical vulnerabilities, information has also been disclosed about several less dangerous problems:
- CVE-2023-42118 is an integer overflow in the libspf2 library when parsing SPF macros. The vulnerability allows you to initiate remote corruption of memory contents and can potentially be used to organize the execution of your code on the server.
- CVE-2023-42114 is an out-of-buffer read in the NTLM handler. The issue may result in the memory contents of the process servicing network requests leaking.
- CVE-2023-42119 is a vulnerability in the dnsdb handler that leads to a memory leak in the smtp process.
Source: opennet.ru