CVE-2023-42118
published 2024-05-03CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected…
PriorityP273high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
51.47%
98.8th percentile
Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account.
. Was ZDI-CAN-17578.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libspf2 | — | — |
| exim | libspf2 | — | — |
| libspf2 | libspf2 | >= 0 < 1.2.11-r3 | 1.2.11-r3 |
| libspf2 | libspf2 | >= 0 < 1.2.11-r3 | 1.2.11-r3 |
| libspf2 | libspf2 | >= 0 < 1.2.11-r3 | 1.2.11-r3 |
| libspf2 | libspf2 | >= 0 < 1.2.11-r3 | 1.2.11-r3 |
| libspf2 | libspf2 | >= 0 < 1.2.11-r3 | 1.2.11-r3 |
| libspf2 | libspf2 | >= 0 < 1.2.11-r3 | 1.2.11-r3 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exists within the parsing of SPF macros in libspf2; monitor for malformed SPF macro fields in DNS TXT records or SMTP traffic that may trigger integer underflow conditions in the libspf2 parsing code. ↗
- →Attack vector is network-adjacent and requires no authentication; focus detection on SMTP-layer SPF evaluation paths where libspf2 processes attacker-controlled SPF macro data from DNS responses. ↗
- →Successful exploitation results in code execution as the service account (e.g., the Exim mail server process user); alert on unexpected child processes or anomalous activity spawned from the Exim/libspf2 service account. ↗
- ·Debian distributions (bookworm, bullseye, forky, sid, trixie) remain open/unpatched for this CVE as of the tracked status; prioritize patching on Debian-based Exim deployments. ↗
- ·Red Hat products do not ship the vulnerable libspf2 package, so Red Hat-based systems are not affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.5HIGHCVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libspf2: Integer Underflow Remote Code Execution Vulnerability
vendor_redhat·2023-09-27·CVSS 8.8
CVE-2023-42118 [HIGH] CWE-190 libspf2: Integer Underflow Remote Code Execution Vulnerability
libspf2: Integer Underflow Remote Code Execution Vulnerability
Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account.
. Was ZDI-CAN-17578.
An integer underflow flaw was discovered in libspf2 library which exists within the parsing of SPF macros. When parsing SPF macros, the process does not
Debian
CVE-2023-42118: libspf2 - Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnera...
vendor_debian·2023·CVSS 8.8
CVE-2023-42118 [HIGH] CVE-2023-42118: libspf2 - Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnera...
Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17578.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
GHSA
GHSA-2vq7-8vvf-w66v: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
ghsa_unreviewed·2024-05-03
CVE-2023-42118 [HIGH] CWE-191 GHSA-2vq7-8vvf-w66v: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-17578.
OSV
CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
osv·2024-05-03·CVSS 8.8
CVE-2023-42118 [HIGH] CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account.
. Was ZDI-CAN-17578.
OSV
CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
osv·2024-05-03·CVSS 8.8
CVE-2023-42118 [HIGH] CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17578.
No detection rules found.
No public exploits indexed.
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
blogs_wiz·2023-10-02·CVSS 9.8
CVE-2023-42115 [CRITICAL] Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
Multiple vulnerabilities were publicly disclosed by the Zero Day Initiative (ZDI) in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with “External” authentication enabled. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer. The recommendation is to update Exim to patched versions, or if not possible, restrict remote access to Exim mail servers if you have “External” authentication enabled, or to switch to a different authentication method.
## What is CVE-2023-42115?
Exim is a very prevalent mail server, due in part to being the default MTA preinstalled on Debian and other Linux distribution
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
blogs_wiz·2023-10-02·CVSS 9.8
CVE-2023-42115 [CRITICAL] Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
Multiple vulnerabilities were publicly disclosed by the Zero Day Initiative (ZDI) in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with “External” authentication enabled. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer. The recommendation is to update Exim to patched versions, or if not possible, restrict remote access to Exim mail servers if you have “External” authentication enabled, or to switch to a different authentication method.
# What is CVE-2023-42115?
Exim is a very prevalent mail server, due in part to being the default MTA preinstalled on Debian and other Linux distributions
Bleepingcomputer
Exim patches three of six zero-day bugs disclosed last week
blogs_bleepingcomputer·2023-10-02·CVSS 5.3
CVE-2023-42115 [MEDIUM] Exim patches three of six zero-day bugs disclosed last week
## Exim patches three of six zero-day bugs disclosed last week
## Sergiu Gatlan
Exim developers have released patches for three of the zero-days disclosed last week through Trend Micro's Zero Day Initiative (ZDI), one of them allowing unauthenticated attackers to gain remote code execution.
Discovered by an anonymous security researcher, the security flaw (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service and can be exploited by remote unauthenticated attackers to execute code in the context of the service account.
"The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer," ZDI's advisory exp
Bleepingcomputer
Millions of Exim mail servers exposed to zero-day RCE attacks
blogs_bleepingcomputer·2023-09-29·CVSS 9.8
CVE-2023-42115 [CRITICAL] Millions of Exim mail servers exposed to zero-day RCE attacks
## Millions of Exim mail servers exposed to zero-day RCE attacks
## Sergiu Gatlan
A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers.
Found by an anonymous security researcher and disclosed through Trend Micro's Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service.
While this type of issue can lead to software crashes or corruption of data following successful exploitation, it can also be abused by attackers for code or command execution on vulnerable servers.
"The specific flaw exists within the smtp service, which listens on TCP port 25 by default," a ZDI security advisory
2024-05-03
Published