(Zero Day) Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability - 20231002004

Overview

The WA SOC has observed a critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software that allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. This issue can lead to software crashes or corruption of data following successful exploitation, it can also be abused by attackers for code or command execution on vulnerable servers.

What is the vulnerability?

CVE-2023-42115 - CVSS v3 Base Score: 9.8

What is vulnerable?

The vulnerability affects all versions of Exim mail transfer agent (MTA) software.

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of within two weeks (refer Patch Management):

• Zero Day Innitiative ZDI-23-1469
• Bleeping Computer Nees exim mails servers zero day