back to article Buffer overflow in Unix mailer Exim imperils 400,000 email servers

Researchers have uncovered a critical buffer overflow vulnerability in all versions of the Exim mail transfer agent. The flaw (CVE-2018-6789) leaves an estimated 400,000 email servers at potential risk to remote code execution-style attacks. Fortunately a patched version (Exim version 4.90.1) is already available. The bug …

  1. Voland's right hand Silver badge

    That has been fixed in Debian quite a while back

    https://www.debian.org/security/2018/dsa-4110

    I remember updating after seeing the Bugtraq posting.

    This time El Reg is a bit late to the party, everyone has gone home already to sober up.

    Additionally, the article is incorrect. Reading the POC exploit you need to have AUTH enabled. While you do not need to AUTH successfully, the server in question should be set to authenticate users. That somewhat limits the scope as "pure" mail relays would not be affected.

    1. bombastic bob Silver badge
      Devil

      Re: That has been fixed in Debian quite a while back

      I first thought of Debian since they switched to Exim as the default mailer a while back.

      Glad to know it's already patched. Still worth an article, even "late to the party"

  2. Alan J. Wylie

    The bug was reported to the Exim team on Monday

    The bug was reported to the Exim maintainers on the 5th Febrary, then under an NDA to distros and cloud services. What has just happened is that Mel has released more (but not full) details. There's no public POC either.

    There was a bit of a panic when one distro broke the embargo and the patch became public a few days early, on a Friday of all days in the week.

  3. Redbaron

    Thanks for the sudden panic!

    Then I realised I'd updated for this on Feb 11th...

  4. Herby

    There are alternatives...

    Postfix comes to mind. Of course sendmail doesn't.

    All of this comes to "pick your poison".

    Mail IS difficult, and is best left to what some call "experts".

    1. Mike Pellatt

      Re: There are alternatives...

      Depends on your use case. If you need to do some serious conditional processing based on headers, postfix just doesn't deliver (sic). As an exim guy needing to do this in an existing postfix installation, I tried, believe me. I really did try. Swapping MTAs in a live environment is not for the faint-hearted.

      1. teknopaul Silver badge

        Re: There are alternatives...

        You sound informed, whats current recommendation for a mail server in Linux? Simple, low volume, low resource usage are a priority.

        1. alain williams Silver badge

          Re: There are alternatives...

          Exim is still good for that.

        2. PyLETS

          @teknopaul: Current recommendation

          I'd start with Postfix if you've never managed a MTA before. Simple doesn't seem to be a possibility in this space, but Postfix is relatively easy to setup if you just want to receive and relay for local mailboxes and handle transactional email from local webapps. If your human users want IMAP/POP3 you probably want Dovecot also.

        3. CrazyOldCatMan Silver badge

          Re: There are alternatives...

          Simple, low volume, low resource usage are a priority

          Postfix or qmail.

          If you want to run email mailing lists, qmail+ezmlm-idx

          1. Nate Amsden

            Re: There are alternatives...

            qmail, wow.. haven't come across that since 2001. I guess qmail's got at least one thing going for it, it's pretty stable (as in not many changes). Looking at Debian's changelog there seems to be half a dozen changes to the qmail package in the past 8 years.

            Myself I switched from Sendmail to Postfix maybe in 2001 or maybe early 2002(last time I ran internal email for an employer at the time setup using mcafee and Sophos AV). I don't recall a specific driving factor though postfix is generally easier to configure for my use cases. I haven't really had a need to look at exim or others since. I don't have fancy setups though and mail volume is low.

      2. PyLETS

        @Mike Pellatt - Re: There are alternatives...

        I do conditional post-processing on headers using Postfix as my MTA using entirely separate programs executed using the /etc/aliases mechanism. If I wanted to do selective processing pre queuing, I'd probably use the Postfix Milter interface for this. Better in my view to modularise what you need to do into different programs, but the usual stuff lots of other sites want including CLAM-AV and DKIM seems reasonably straightforward (compared to Sendmail) to integrate.

    2. CrazyOldCatMan Silver badge

      Re: There are alternatives...

      Postfix comes to mind. Of course sendmail doesn't.

      Nowt wrong with sendmail. I didn't lose copious SAN when trying to herd it back in the day..

      Anyway - need to go. The purple elephant wants a chat. Something about some frog pills..

      (In real life at home I mostly use qmail. A tad user-hostile but, compared to sendmail, a miracle of usability and functionality..)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019