CVE-2023-42116
published 2024-05-03CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.16%
86.4th percentile
Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
. Was ZDI-CAN-17515.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | exim4 | < exim4 4.96-15+deb12u2 (bookworm) | exim4 4.96-15+deb12u2 (bookworm) |
| exim | exim | < 4.96.1 | 4.96.1 |
| exim | exim | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target the NTLM challenge request handling in Exim's SMTP service — the overflow occurs when user-supplied data length is not validated before copying to a fixed-length stack-based buffer during NTLM challenge processing ↗
- →No authentication is required to trigger the vulnerability — monitor for unauthenticated SMTP sessions sending oversized NTLM challenge responses ↗
- →Exploitation results in code execution as the Exim service account — alert on unexpected child processes or command execution spawned from the Exim process after an NTLM exchange ↗
- →Successful exploitation manifests as out-of-bounds writes during NTLM challenge handling — look for Exim crashes or memory corruption signals (e.g., segfaults) on SMTP ports following NTLM negotiation ↗
- ·Debian fixed versions are available — ensure Exim is patched to the resolved versions per distro track to remediate CVE-2023-42116 ↗
- ·Red Hat products are not affected as Exim is not shipped in any Red Hat product ↗
- ·On Ubuntu, the stack-based buffer overflow via NTLM challenge only affects Ubuntu 20.04 LTS, 22.04 LTS, and 23.04 for the related out-of-bounds write class (CVE-2023-42115); CVE-2023-42116 affects all supported Ubuntu releases ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5hxx-p89v-jxc7: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
ghsa_unreviewed·2024-05-03
CVE-2023-42116 [HIGH] CWE-121 GHSA-5hxx-p89v-jxc7: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-17515.
OSV
CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
osv·2024-05-03·CVSS 9.8
CVE-2023-42116 [CRITICAL] CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17515.
OSV
exim4 vulnerabilities
osv·2023-10-04·CVSS 5.3
CVE-2023-42114 [MEDIUM] exim4 vulnerabilities
exim4 vulnerabilities
It was discovered that Exim incorrectly handled certain challenge requests.
A remote attacker could possibly use this issue to perform out-of-bounds
reads, resulting in information leakage. (CVE-2023-42114)
It was discovered that Exim incorrectly handled validation of user-supplied
data. A remote attacker could possibly use this issue to perform
out-of-bounds writes, resulting in arbitrary code execution. This issue
only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04.
(CVE-2023-42115)
It was discovered that Exim incorrectly handled certain challenge requests.
A remote attacker could possibly use this issue to perform out-of-bounds
writes, resulting in arbitrary code execution. (CVE-2023-42116)
Ubuntu
Exim vulnerabilities
vendor_ubuntu·2023-10-04·CVSS 5.3
CVE-2023-42115 [MEDIUM] Exim vulnerabilities
Title: Exim vulnerabilities
Summary: Several security issues were fixed in Exim.
It was discovered that Exim incorrectly handled certain challenge requests.
A remote attacker could possibly use this issue to perform out-of-bounds
reads, resulting in information leakage. (CVE-2023-42114)
It was discovered that Exim incorrectly handled validation of user-supplied
data. A remote attacker could possibly use this issue to perform
out-of-bounds writes, resulting in arbitrary code execution. This issue
only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04.
(CVE-2023-42115)
It was discovered that Exim incorrectly handled certain challenge requests.
A remote attacker could possibly use this issue to perform out-of-bounds
writes, resulting in arbitrary code execution. (CVE-2023-42116
Red Hat
Exim: SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
vendor_redhat·2023-09-27·CVSS 9.8
CVE-2023-42116 [CRITICAL] CWE-119 Exim: SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
Exim: SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
. Was ZDI-CAN-17515.
The vulnerability was found in Exim within the handling of NTLM challenge requests. The issue results from the lack of pro
Debian
CVE-2023-42116: exim4 - Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerabil...
vendor_debian·2023·CVSS 9.8
CVE-2023-42116 [CRITICAL] CVE-2023-42116: exim4 - Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerabil...
Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17515.
Scope: local
bookworm: resolved (fixed in 4.96-15+deb12u2)
bullseye: resolved (fixed in 4.94.2-7+deb11u1)
forky: resolved (fixed in 4.97~RC1-2)
sid: resolved (fixed in 4.97~RC1-2)
trixie: resolved (fixed in 4.
No detection rules found.
No public exploits indexed.
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
blogs_wiz·2023-10-02·CVSS 9.8
CVE-2023-42115 [CRITICAL] Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
Multiple vulnerabilities were publicly disclosed by the Zero Day Initiative (ZDI) in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with “External” authentication enabled. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer. The recommendation is to update Exim to patched versions, or if not possible, restrict remote access to Exim mail servers if you have “External” authentication enabled, or to switch to a different authentication method.
## What is CVE-2023-42115?
Exim is a very prevalent mail server, due in part to being the default MTA preinstalled on Debian and other Linux distribution
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
blogs_wiz·2023-10-02·CVSS 9.8
CVE-2023-42115 [CRITICAL] Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
Multiple vulnerabilities were publicly disclosed by the Zero Day Initiative (ZDI) in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with “External” authentication enabled. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer. The recommendation is to update Exim to patched versions, or if not possible, restrict remote access to Exim mail servers if you have “External” authentication enabled, or to switch to a different authentication method.
# What is CVE-2023-42115?
Exim is a very prevalent mail server, due in part to being the default MTA preinstalled on Debian and other Linux distributions
Bleepingcomputer
Exim patches three of six zero-day bugs disclosed last week
blogs_bleepingcomputer·2023-10-02·CVSS 5.3
CVE-2023-42115 [MEDIUM] Exim patches three of six zero-day bugs disclosed last week
## Exim patches three of six zero-day bugs disclosed last week
## Sergiu Gatlan
Exim developers have released patches for three of the zero-days disclosed last week through Trend Micro's Zero Day Initiative (ZDI), one of them allowing unauthenticated attackers to gain remote code execution.
Discovered by an anonymous security researcher, the security flaw (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service and can be exploited by remote unauthenticated attackers to execute code in the context of the service account.
"The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer," ZDI's advisory exp
Bleepingcomputer
Millions of Exim mail servers exposed to zero-day RCE attacks
blogs_bleepingcomputer·2023-09-29·CVSS 9.8
CVE-2023-42115 [CRITICAL] Millions of Exim mail servers exposed to zero-day RCE attacks
## Millions of Exim mail servers exposed to zero-day RCE attacks
## Sergiu Gatlan
A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers.
Found by an anonymous security researcher and disclosed through Trend Micro's Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service.
While this type of issue can lead to software crashes or corruption of data following successful exploitation, it can also be abused by attackers for code or command execution on vulnerable servers.
"The specific flaw exists within the smtp service, which listens on TCP port 25 by default," a ZDI security advisory
2024-05-03
Published