cbcvebase.
CVE-2023-42117
published 2024-05-03

CVE-2023-42117: Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.67%
92.0th percentile
Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17554.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianexim4< exim4 4.96-15+deb12u3 (bookworm)exim4 4.96-15+deb12u3 (bookworm)
eximexim< 4.96.24.96.2
eximexim
ubuntuexim4

Detection & IOCsextracted from sources · hover to see the quote

port25/tcp
  • Target is the Exim SMTP service; exploit does not require authentication — monitor for anomalous or malformed SMTP traffic from unauthenticated sources on port 25.
  • The vulnerability triggers a memory corruption condition via improper neutralization of special elements in user-supplied data; look for unexpected crashes or memory-fault signals in the Exim process.
  • On Ubuntu 22.04 LTS systems, the patch for CVE-2023-42117 may produce 'Taint mismatch' log entries — these log lines can be used as a canary to confirm the patched (or regression-affected) Exim version is in use.
  • ·Exim listens on TCP port 25 by default; if the service has been reconfigured to a non-standard port, detection rules targeting port 25 must be updated accordingly.
  • ·Red Hat products do not ship the vulnerable Exim package; detections targeting Red Hat/RHEL environments are not applicable.
  • ·Fixed Debian versions are 4.96-15+deb12u3 (bookworm), 4.94.2-7+deb11u4 (bullseye), and 4.97~RC2-2 (sid/trixie/forky); version-based detection should flag any Exim installation below these thresholds on Debian.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.