CVE-2012-5671
published 2012-10-31CVE-2012-5671: Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and…
PriorityP272medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
8.38%
94.3th percentile
Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | exim4 | < exim4 4.80-5.1 (bookworm) | exim4 4.80-5.1 (bookworm) |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable function is `dkim_exim_query_dns_txt` in `dkim.c`; heap-based buffer overflow triggered via malicious DNS TXT record response during DKIM verification ↗
- →Exploitation requires DKIM support to be enabled AND `acl_smtp_connect` and `acl_smtp_rcpt` NOT set to `warn control = dkim_disable_verify` — audit Exim configs for this unsafe state ↗
- →Attack vector is a malicious/rogue DNS server returning a crafted TXT record in response to Exim's DKIM DNS query — monitor for anomalous DNS TXT responses to mail server DNS resolvers ↗
- ·Vulnerability is only exploitable when DKIM support is compiled/enabled in Exim AND neither `acl_smtp_connect` nor `acl_smtp_rcpt` contain `warn control = dkim_disable_verify` — systems with this ACL directive set are not exploitable ↗
- ·Exim 4.63 (as shipped with Red Hat Enterprise Linux 5) does not contain the vulnerable DKIM code and is not affected ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vulncheck6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Exim vulnerability
vendor_ubuntu·2012-10-26
CVE-2012-5671 Exim vulnerability
Title: Exim vulnerability
Summary: Exim could be made to run programs if it received specially crafted network
traffic.
It was discovered that Exim incorrectly handled DKIM DNS decoding. This
flaw could allow a remote attacker to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
exim: Heap-buffer overflow in DNS decode logic used for DKIM
vendor_redhat·2012-10-26·CVSS 6.8
CVE-2012-5671 [MEDIUM] CWE-122 exim: Heap-buffer overflow in DNS decode logic used for DKIM
exim: Heap-buffer overflow in DNS decode logic used for DKIM
Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server.
Statement: Not Vulnerable. This issue does not affect the version of exim as shipped with Red Hat Enterprise Linux 5.
Package: exim (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2012-5671: exim4 - Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in ...
vendor_debian·2012·CVSS 6.8
CVE-2012-5671 [MEDIUM] CVE-2012-5671: exim4 - Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in ...
Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server.
Scope: local
bookworm: resolved (fixed in 4.80-5.1)
bullseye: resolved (fixed in 4.80-5.1)
forky: resolved (fixed in 4.80-5.1)
sid: resolved (fixed in 4.80-5.1)
trixie: resolved (fixed in 4.80-5.1)
GHSA
GHSA-9mj7-g6p8-v73f: Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim
ghsa_unreviewed·2022-05-17
CVE-2012-5671 [MEDIUM] CWE-119 GHSA-9mj7-g6p8-v73f: Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim
Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server.
OSV
CVE-2012-5671: Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim
osv·2012-10-31·CVSS 6.8
CVE-2012-5671 [MEDIUM] CVE-2012-5671: Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim
Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server.
VulnCheck
Exim Exim Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2012·CVSS 6.8
CVE-2012-5671 [MEDIUM] Exim Exim Improper Restriction of Operations within the Bounds of a Memory Buffer
Exim Exim Improper Restriction of Operations within the Bounds of a Memory Buffer
Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server.
Affected: Exim Exim
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-5671 exim: Heap-buffer overflow in DNS decode logic used for DKIM [fedora-all]
bugzilla·2012-10-26·CVSS 6.8
CVE-2012-5671 [MEDIUM] CVE-2012-5671 exim: Heap-buffer overflow in DNS decode logic used for DKIM [fedora-all]
CVE-2012-5671 exim: Heap-buffer overflow in DNS decode logic used for DKIM [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this
Bugzilla
CVE-2012-5671 exim: Heap-buffer overflow in DNS decode logic used for DKIM [epel-6]
bugzilla·2012-10-26·CVSS 6.8
CVE-2012-5671 [MEDIUM] CVE-2012-5671 exim: Heap-buffer overflow in DNS decode logic used for DKIM [epel-6]
CVE-2012-5671 exim: Heap-buffer overflow in DNS decode logic used for DKIM [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking
Bugzilla
CVE-2012-5671 exim: Heap-buffer overflow in DNS decode logic used for DKIM
bugzilla·2012-10-25·CVSS 6.8
CVE-2012-5671 [MEDIUM] CVE-2012-5671 exim: Heap-buffer overflow in DNS decode logic used for DKIM
CVE-2012-5671 exim: Heap-buffer overflow in DNS decode logic used for DKIM
A heap-buffer overflow was found in the DKIM DNS decode logic, used by exim. A remote attacker could use this flaw to execute arbitrary code on the mail server running Exim.
This is fixed in version 4.80.1
Discussion:
Created attachment 633222
dkim-dns-buffer-overflow-protection-patch
---
Support for DKIM (DomainKeys Identified Mail) in exim was introduced in version 4.70. Also version 4.69 had experimental support. More details available at:
http://wiki.exim.org/DKIM
Red Hat Enterprise Linux 5, ships version exim-4.63, which does not contain the vulnerable DKIM code. Hence the version of exim shipped with Red Hat Enterprise Linux 5 is not vulnerable to this issue.
---
Statement:
Not Vulnerable. This issu
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/091664.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090900.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090963.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-10/msg00018.htmlhttp://osvdb.org/86616http://secunia.com/advisories/51098http://secunia.com/advisories/51115http://secunia.com/advisories/51153http://secunia.com/advisories/51155http://www.debian.org/security/2012/dsa-2566http://www.openwall.com/lists/oss-security/2012/10/26/5http://www.securityfocus.com/bid/56285http://www.ubuntu.com/usn/USN-1618-1https://exchange.xforce.ibmcloud.com/vulnerabilities/79615https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-November/091664.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090900.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090963.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-10/msg00018.htmlhttp://osvdb.org/86616http://secunia.com/advisories/51098http://secunia.com/advisories/51115http://secunia.com/advisories/51153http://secunia.com/advisories/51155http://www.debian.org/security/2012/dsa-2566http://www.openwall.com/lists/oss-security/2012/10/26/5http://www.securityfocus.com/bid/56285http://www.ubuntu.com/usn/USN-1618-1https://exchange.xforce.ibmcloud.com/vulnerabilities/79615https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html
2012-10-31
Published
Exploited in the wild