Menu

Ready to Get
Started?

Request a Demo or

Another Critical Exim Flaw, and How to Determine if You’re Affected

Exim, the widely used, open-source mail transfer agent (MTA), released an urgent security update regarding Exim versions, up to and including 4.92.2.  The vulnerability (CVE-2019-16928) is a heap-based buffer overflow (memory corruption) issue in string_vformat defined in string.c file of the EHLO Command Handler component, allowing hackers to trigger a denial of service on a targeted Exim server using a specifically crafted line in the EHLO command.  According to Exim, there is a known PoC exploit for this vulnerability, which allows them to crash the Exim process.

What’s the Risk?

Much like the Exim vulnerability we wrote about just 3 weeks ago on Sept 9, this vulnerability allows attackers to remotely run malicious code with root privileges on the server. And like the Sept 9 CVE, since this level of access carries a massive risk and is likely to be exploited in short order, it was also given a 9.8 out of 10 on the CVE critical rating scale. 

Once the mail server is compromised, hackers can go on to access everything else on the server, too - including certificates, databases, and credentials.  This means that servers hosting multiple domains are more attractive targets. We took a look at about 2 million servers, and broke down the range of domains hosted to find that 26,553 servers host over 5 domains and 4,542 servers host over 25 domains:

Domains Hosted

Total

Less than 5

3,753,944

5 - 25

22,011

25 - 50

4,344

50 - 75

71

75 - 100

125

Greater than 100

2

Total

3,780,497

Searching Censys for your affected servers

We searched the entire Internet to find all exposed Exim servers affected by this vulnerability. Specifically, we hunted for any servers running version 4.92.2 or earlier versions, which are affected by the CVE. Using our web search UI, you can use the following query (adding your domain name in the 2 placeholder spots) to determine what version you’re running:

Query:

https://censys.io/ipv4?q=%28465.smtp.tls.metadata.product%3A+exim+OR+587.smtp.starttls.metadata.product%3A+exim%29+AND+%28465.smtp.tls.tls.certificate.parsed.names%3A+%3CINSERT+DOMAIN+HERE%3E+OR+587.smtp.starttls.tls.certificate.parsed.names%3A+%3CINSERT+DOMAIN+HERE%3E%29

Censys Web Search UI:

Exim highly recommends that server administrators install the latest Exim 4.92.3 version as soon as possible, since there is no known mitigation to temporarily resolve this issue.



Stay up to date

To get regular news about product updates, user guides, and security tips, send us your email. You can unsubscribe at any time.

Ready to Get Started?

Get a real-time view of all your organization's assets so you can proactively prevent threats.