A critical vulnerability affects millions of email servers. A fix has been released but this flaw affects more than half of the Internet's email servers, and patching the issue will take a couple of days.
The vulnerability in Exim, a mail transfer agent (MTA) —software that runs on email servers and which relays emails from senders to recipients.According to a survey conducted in March 2018, 56% of all of the Internet's email servers run Exim, with over 63,36,687 available online at the time.
A Taiwanese security researcher named Meh Chang discovered the bug, which he reported to the Exim crew on February 2. The Exim team released Exim distribution 4.90.1 on February 10 that fixes the RCE issue.
The bug —tracked as CVE-2018-6789 is categorized as a "pre-auth remote code execution," meaning an attacker could trick the Exim email server into running malicious commands before the attacker would need to authenticate on the server.
The actual bug is a one-byte buffer overflow in the base64 decode function of Exim and affects all Exim versions ever released. Chang described the bug in a blog post released earlier today, detailing basic steps for exploiting Exim's SMTP daemon.
In a security advisory, the Exim team publicly acknowledged the issue. "Currently we're unsure about the severity, we believe, an exploit is difficult. A mitigation isn't known," the Exim team said.
Since Exim 4.90.1's release, updated Exim versions have trickled down to Linux distros used primarily in data centers, but the question remains about the number of unpatched systems that remain online. Taking into account that Exim is by far the most popular mail agent, CVE-2018-6789 opens a large attack surface, and Exim server owners should look into deploying the Exim 4.90.1 update as soon as possible.
At the time of writing, there is no public exploit code for taking advantage of vulnerable Exim servers, but this will likely change in the days following Chang's blog post.