cbcvebase.
CVE-2023-42115
published 2024-05-03

CVE-2023-42115: Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected…

PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.04%
95.0th percentile
Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17434.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianexim4< exim4 4.96-15+deb12u2 (bookworm)exim4 4.96-15+deb12u2 (bookworm)
eximexim< 4.96.14.96.1
eximexim

Detection & IOCsextracted from sources · hover to see the quote

snort
alert smtp any any -> $HOME_NET any (msg:"ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-42115)"; flow:established; flowbits:isset,ET.eximsmtp; content:"auth|20|"; nocase; fast_pattern; pcre:"/^(?:(?:[^A\r\n]+[A])(?:[^A\r\n]+[A])){2,}/R"; reference:url,www.zerodayinitiative.com/advisories/ZDI-23-1469/; reference:url,labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/; reference:cve,2023-42115; classtype:attempted-admin; sid:2048390; rev:1; metadata:attack_target SMTP_Server, created_at 2023_10_03, cve CVE_2023_42115, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_03, reviewed_at 2023_10_03; target:dest_ip;)
  • The Snort/Suricata rule triggers on SMTP traffic where the AUTH command is followed by a pattern of repeated non-newline sequences ending in 'A', occurring 2 or more times — indicative of the overflow payload. The flowbit ET.eximsmtp must be set (i.e., traffic already identified as Exim SMTP).
  • No authentication is required to exploit this vulnerability — monitor for anomalous AUTH command usage on TCP/25 from unauthenticated/external sources.
  • The vulnerability is exploited via the SMTP AUTH mechanism; the out-of-bounds write results from improper validation of user-supplied data in the AUTH exchange.
  • ·The Snort/Suricata rule is rated confidence Low and has Significant performance impact — tune deployment accordingly, especially on high-volume SMTP gateways.
  • ·On Ubuntu, CVE-2023-42115 only affects Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04 — not all Ubuntu releases are impacted.
  • ·Red Hat products do not ship the vulnerable Exim package — no Red Hat-based systems are affected.
  • ·Debian fixed versions are: bookworm 4.96-15+deb12u2, bullseye 4.94.2-7+deb11u1, forky/sid/trixie 4.97~RC1-2 — ensure patched versions are deployed.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.