cbcvebase.
CVE-2017-16943
published 2017-11-25

CVE-2017-16943: The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service…

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
46.71%
98.7th percentile
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianexim4< exim4 4.89-12 (bookworm)exim4 4.89-12 (bookworm)
eximexim
eximexim

Detection & IOCsextracted from sources · hover to see the quote

commandBDAT
commandEHLO test
commandMAIL FROM:<>
commandBDAT 1
  • Detect exploitation attempts by monitoring for BDAT/CHUNKING SMTP commands followed by malformed or oversized header data on port 25. The PoC sends a long string ('a'*0x1250 or 'a'*0x1280) with a trailing unprintable character (0x7f) before issuing BDAT to trigger the use-after-free.
  • Alert on SMTP sessions that send a BDAT command immediately followed by another BDAT command with a 0x7f byte prefix (e.g., ':BDAT \x7f'), which is the pattern used to trigger the store_get allocation that causes the use-after-free.
  • Monitor for Exim processes where receive_getc is redirected to bdat_getc (CHUNKING extension active) and unusually large header allocations occur, indicative of heap manipulation via the store_get/store_release use-after-free path in receive_msg (receive.c:1817).
  • Detect exploitation of default-configured Exim by watching for a session that sends a large DATA payload (e.g., 'b'*0x4000) followed by a new MAIL FROM and then BDAT commands — the two-phase heap grooming technique used in the default-config PoC.
  • Flag Exim SMTP sessions where the ESMTP CHUNKING extension (BDAT verb) is used and the session involves manipulation of __free_hook or _IO_2_1_stdout_ memory regions, which are targeted in the RCE exploitation chain.
  • ·Mitigation: Disable ESMTP CHUNKING advertisement in Exim's main configuration to make the BDAT verb unavailable and prevent exploitation. Set 'chunking_advertise_hosts =' (empty value) in the main section of the Exim configuration.
  • ·The vulnerability affects Exim 4.88 and 4.89 only. The PoC for DKIM-enabled configurations is less complex; the default-configuration exploit requires additional heap grooming steps (DATA command with large payload, then restart with BDAT).
  • ·Ubuntu notes that default compiler options for affected releases reduce the vulnerability impact to denial of service rather than code execution.
  • ·Fixed in Exim Debian package version 4.89-12 across bookworm, bullseye, forky, sid, and trixie.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.