CVE-2023-42116Stack-based Buffer Overflow in Exim

CWE-121Stack-based Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer11 documents8 sources
Severity
9.8CRITICALNVD
OSV5.3
EPSS
6.7%
top 8.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
EximDebian Exim4
Timeline
PublishedMay 3

Description

Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage thi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDexim/exim< 4.96.1
debiandebian/exim4< exim4 4.96-15+deb12u2 (bookworm)
CVEListV5exim/eximexim 4.95

🔴Vulnerability Details

3
GHSA
GHSA-5hxx-p89v-jxc7: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability2024-05-03
OSV
CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability2024-05-03
OSV
exim4 vulnerabilities2023-10-04

📋Vendor Advisories

3
Ubuntu
Exim vulnerabilities2023-10-04
Red Hat
Exim: SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability2023-09-27
Debian
CVE-2023-42116: exim4 - Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerabil...2023

🕵️Threat Intelligence

4
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog2023-10-02
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog2023-10-02
Bleepingcomputer
Exim patches three of six zero-day bugs disclosed last week2023-10-02
Bleepingcomputer
Millions of Exim mail servers exposed to zero-day RCE attacks2023-09-29