cbcvebase.
CVE-2023-42116
published 2024-05-03

CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.16%
86.4th percentile
Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17515.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianexim4< exim4 4.96-15+deb12u2 (bookworm)exim4 4.96-15+deb12u2 (bookworm)
eximexim< 4.96.14.96.1
eximexim

Detection & IOCsextracted from sources · hover to see the quote

  • Target the NTLM challenge request handling in Exim's SMTP service — the overflow occurs when user-supplied data length is not validated before copying to a fixed-length stack-based buffer during NTLM challenge processing
  • No authentication is required to trigger the vulnerability — monitor for unauthenticated SMTP sessions sending oversized NTLM challenge responses
  • Exploitation results in code execution as the Exim service account — alert on unexpected child processes or command execution spawned from the Exim process after an NTLM exchange
  • Successful exploitation manifests as out-of-bounds writes during NTLM challenge handling — look for Exim crashes or memory corruption signals (e.g., segfaults) on SMTP ports following NTLM negotiation
  • ·Debian fixed versions are available — ensure Exim is patched to the resolved versions per distro track to remediate CVE-2023-42116
  • ·Red Hat products are not affected as Exim is not shipped in any Red Hat product
  • ·On Ubuntu, the stack-based buffer overflow via NTLM challenge only affects Ubuntu 20.04 LTS, 22.04 LTS, and 23.04 for the related out-of-bounds write class (CVE-2023-42115); CVE-2023-42116 affects all supported Ubuntu releases

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.