CVE-2019-15846: Exim Mail Transfer Agent Vulnerable to Buffer Overflow Attack

By Jarren Buendia on December 6, 2019

Introduction

The Exim mail transfer agent (MTA)/mail server is an open source service used on Unix-like operating systems. Exim can be used as substitutes for common mail servers such as Gmail and Yahoo, especially if users want to customize their own. Since the Simple Mail Transfer Protocol (SMTP) is inherently insecure, sending information in cleartext, RFC 3207 describes how SMTP uses TLS to encrypt information flow. The Transport Layer Security (TLS) mechanism encrypts data in a way similar to how TCP handshakes handle data integrity. According to IBM’s overview of the TLS handshake, the client starts off by sending a STARTTLS command to the server. Then, the server responds by: agreeing to start the TLS negotiation, that there is an error in how the command was typed, or that TLS is temporarily unavailable. During the actual negotiation, the client sends “hello” information to the server, which would respond with its own list of information back to the client. Among the information sent back from the server, the server’s digital certificate is sent to the client for verification. If the server requires the client to send a verifiable certificate of their own, then the server will also issue a client certificate request that states what Distinguished Names (DN) are supported. From here, the private encryption key is processed, the client’s certificate is either verified or waived, and the TLS secure connection is established. It is here, however, where the vulnerability lies. During the TLS handshake, two key pieces of information can be passed along: Distinguished Names (DN) and Server Name Indication (SNI). DN’s uniquely identify an entity and includes a heap of information that is important for authentication within an X.509 certificate standard. SNI, according to RFC 6066, is an optional extension to TLS that allows multiple hostnames to be served over HTTPS from the same IP address. As TLS does not provide a way to tell a server what server that client is trying to contact, it may be useful for clients to provide this information for establishing secure connections with servers that host multiple virtual servers under the same network address. 

Vulnerability

During the TLS handshake, Exim does not handle DN and SNI information properly, which can lead to a buffer overflow attack via specially crafted SNI data. In the default runtime configuration, an attacker alters the SNI data to include a trailing backslash-null sequence. If successful, the attacker is able to execute arbitrary with admin/root privileges, bypassing any authentication. 

Impact

According to Exim’s vendor advisory report about this issue, any Exim server that accepts TLS connections is vulnerable, and it does not matter what TLS library is being used (GnuTLS or OpenSSL). All versions of Exim’s service, up to, but excluding, version 4.92.2, are vulnerable to this issue. Versions 4.92.1 and earlier are susceptible to buffer overflow attacks, which allows an attacker to do virtually anything on your system. This is due to the fact that the bad actor has the same access that you do, or maybe even higher. This is a critical issue with many potential avenues for increasing consequences. 

Mitigation

Exim has addressed this issue in version 4.92.2 of their MTA. It is crucial to update your Exim service to this version as soon as possible. Additionally, Exim also stated that another mitigation option is to not offer TLS on your server. However, this is not advised as SMTP without security allows anyone who is monitoring the connection to read the information without the need to decrypt it.

References

“An overview of the SSL or TLS handshake.” Retrieved from: ibm.com/support. 09 Sept 2019.

“CVE-2019-15846 Detail.” Retrieved from: nvd.nist.gov/vuln. 09 Sept 2019.

“CVE ID: CVE-2019-15846.” Retrieved from: exim.org. 09 Sept 2019.

“Distinguished Names.” Retrieved from: ibm.com/support. 09 Sept 2019.

“Exim fails to properly handle trailing backslashes in string_interpret_escape().” Retrieved from: kb.cert.org. 09 Sept 2019.

“Transport Layer Security (TLS) Extensions: Extension Definitions.”
Retrieved from: tools.ietf.org. 09 Sept 2019.