cbcvebase.
CVE-2023-42118
published 2024-05-03

CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected…

PriorityP273high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
51.47%
98.8th percentile
Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17578.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianlibspf2
eximlibspf2
libspf2libspf2>= 0 < 1.2.11-r31.2.11-r3
libspf2libspf2>= 0 < 1.2.11-r31.2.11-r3
libspf2libspf2>= 0 < 1.2.11-r31.2.11-r3
libspf2libspf2>= 0 < 1.2.11-r31.2.11-r3
libspf2libspf2>= 0 < 1.2.11-r31.2.11-r3
libspf2libspf2>= 0 < 1.2.11-r31.2.11-r3

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists within the parsing of SPF macros in libspf2; monitor for malformed SPF macro fields in DNS TXT records or SMTP traffic that may trigger integer underflow conditions in the libspf2 parsing code.
  • Attack vector is network-adjacent and requires no authentication; focus detection on SMTP-layer SPF evaluation paths where libspf2 processes attacker-controlled SPF macro data from DNS responses.
  • Successful exploitation results in code execution as the service account (e.g., the Exim mail server process user); alert on unexpected child processes or anomalous activity spawned from the Exim/libspf2 service account.
  • ·Debian distributions (bookworm, bullseye, forky, sid, trixie) remain open/unpatched for this CVE as of the tracked status; prioritize patching on Debian-based Exim deployments.
  • ·Red Hat products do not ship the vulnerable libspf2 package, so Red Hat-based systems are not affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.5HIGHCVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.