CVE-2017-16944
published 2017-11-25CVE-2017-16944: The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack…
PriorityP264high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
63.32%
99.1th percentile
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | exim4 | < exim4 4.89-13 (bookworm) | exim4 4.89-13 (bookworm) |
| exim | exim | — | — |
| exim | exim | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect the exploit pattern: a BDAT command followed by a lone '.' (dot-only chunk) and then another BDAT command in the same SMTP session. The '.' triggers an incorrect state transition in receive_getc/bdat_getc, leading to an infinite loop or stack exhaustion. ↗
- →Monitor Exim SMTP daemon processes for infinite loops or stack exhaustion (signal 11 / SIGSEGV core dump) following BDAT command sequences, which indicates exploitation of the bdat_getc infinite loop. ↗
- →Alert on Exim processes that persist and consume CPU after an SMTP connection is closed — a resource-based DoS indicator where the process enters an infinite loop without crashing. ↗
- →Flag SMTP sessions targeting Exim 4.88 or 4.89 that issue multiple BDAT commands with a lone '.' as the entire chunk body, as this is the specific trigger sequence for CVE-2017-16944. ↗
- ·This vulnerability only affects Exim versions 4.88 and 4.89. Exim installations on other versions are not affected. Red Hat Enterprise Linux 5 ships a non-affected version. ↗
- ·The vulnerability is exploitable only when the BDAT (CHUNKING) SMTP extension is in use. Deployments with CHUNKING disabled are not affected by this specific code path. ↗
- ·Debian fixed this in exim package version 4.89-13 across all supported releases (bookworm, bullseye, forky, sid, trixie). Ensure patched package is deployed. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Exim vulnerability
vendor_ubuntu·2017-11-29
CVE-2017-16944 Exim vulnerability
Title: Exim vulnerability
Summary: Exim could be made to crash if it received specially crafted network
traffic.
It was discovered that Exim incorrectly handled certain BDAT data headers.
A remote attacker could possibly use this issue to cause Exim to crash,
resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
exim: infinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands
vendor_redhat·2017-11-24·CVSS 7.5
CVE-2017-16944 [HIGH] CWE-835 exim: infinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands
exim: infinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
Package: exim (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2017-16944: exim4 - The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 a...
vendor_debian·2017·CVSS 7.5
CVE-2017-16944 [HIGH] CVE-2017-16944: exim4 - The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 a...
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
Scope: local
bookworm: resolved (fixed in 4.89-13)
bullseye: resolved (fixed in 4.89-13)
forky: resolved (fixed in 4.89-13)
sid: resolved (fixed in 4.89-13)
trixie: resolved (fixed in 4.89-13)
GHSA
GHSA-vpr2-5gxq-hjc6: The receive_msg function in receive
ghsa_unreviewed·2022-05-13
CVE-2017-16944 [HIGH] CWE-835 GHSA-vpr2-5gxq-hjc6: The receive_msg function in receive
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
OSV
CVE-2017-16944: The receive_msg function in receive
osv·2017-11-25·CVSS 7.5
CVE-2017-16944 [HIGH] CVE-2017-16944: The receive_msg function in receive
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
No detection rules found.
HackerOne
Exim handles BDAT data incorrectly and leads to crash/hang
hackerone·2019-11-12·CVSS 9.8
CVE-2017-16943 [CRITICAL] Exim handles BDAT data incorrectly and leads to crash/hang
Exim handles BDAT data incorrectly and leads to crash/hang
## Original article is [here](https://devco.re/blog/2017/12/11/Exim-RCE-advisory-CVE-2017-16943-en/)
# Incorrect BDAT data handling leads to DoS
### Vulnerability Analysis
When receiving data with BDAT command, SMTP server should not consider a single dot `‘.’` in a line to be the end of message. However, we found exim does in receive_msg when parsing header. Like the following output:
```
220 devco.re ESMTP Exim 4.90devstart_213-7c6ec81-XX Mon, 27 Nov 2017 16:58:20 +0800
EHLO test
250-devco.re Hello root at test
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN CRAM-MD5
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
MAIL FROM:
250 OK
RCPT TO:
250 Accepted
BDAT 10
.
250- 10 byte chunk, total 0
250 OK id=1eJFGW-000C
Bugzilla
CVE-2017-16943 CVE-2017-16944 exim: various flaws [epel-all]
bugzilla·2017-11-27·CVSS 9.8
CVE-2017-16943 [CRITICAL] CVE-2017-16943 CVE-2017-16944 exim: various flaws [epel-all]
CVE-2017-16943 CVE-2017-16944 exim: various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL. Wh
Bugzilla
CVE-2017-16944 exim: infinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands
bugzilla·2017-11-27·CVSS 7.5
CVE-2017-16944 [HIGH] CVE-2017-16944 exim: infinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands
CVE-2017-16944 exim: infinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
Upstream bug:
https://bugs.exim.org/show_bug.cgi?id=2201
Discussion:
Created exim tracking bugs for this issue:
Affects: epel-all [bug 1517686]
Affects: fedora-all [bug 1517687]
Bugzilla
CVE-2017-16943 CVE-2017-16944 exim: various flaws [fedora-all]
bugzilla·2017-11-27·CVSS 9.8
CVE-2017-16943 [CRITICAL] CVE-2017-16943 CVE-2017-16944 exim: various flaws [fedora-all]
CVE-2017-16943 CVE-2017-16944 exim: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Whi
http://openwall.com/lists/oss-security/2017/11/25/1http://openwall.com/lists/oss-security/2017/11/25/2http://openwall.com/lists/oss-security/2017/11/25/3http://www.openwall.com/lists/oss-security/2021/05/04/7http://www.securitytracker.com/id/1039873https://bugs.exim.org/show_bug.cgi?id=2201https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.htmlhttps://www.debian.org/security/2017/dsa-4053https://www.exploit-db.com/exploits/43184/http://openwall.com/lists/oss-security/2017/11/25/1http://openwall.com/lists/oss-security/2017/11/25/2http://openwall.com/lists/oss-security/2017/11/25/3http://www.openwall.com/lists/oss-security/2021/05/04/7http://www.securitytracker.com/id/1039873https://bugs.exim.org/show_bug.cgi?id=2201https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.htmlhttps://www.debian.org/security/2017/dsa-4053https://www.exploit-db.com/exploits/43184/
2017-11-25
Published