Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
12/1/2017
12:23 PM
Larry Loeb
Larry Loeb
Larry Loeb

Email Bug Shows Flaws in Reporting System

When one of the world's most commonly used email applications doesn't have a bug-reporting system, things get very public very quickly.

Get some sysadmins around some beers, and at some point those that run mail servers on their systems will undoubtedly start complaining. It's a labor intensive task, and prone to snafus in the best of situations. Something is always going wrong.

But the underlying software has usually been boring and uneventful. It's something no one thinks a lot about. Except that some guy in Taiwan found a honker of a problem in the Exim mail transfer agent. Exit runs on email servers and that does the actual relay of emails from senders to recipients.

Exim is no marginal program. A survey in March of this year found it running on 56% of the net's mail servers. It's major in its niche.

Exim said on its website that it had been told by this Taiwanese guy that there were major flaws in Exim 4.88 and 4.89, which are the latest versions.

The more serious of the two bugs was CVE-2017-16943. This is a use-after-free vulnerability that leads to remote code execution on affected servers. It affects what is called "chunking." Chunking is what allows the breaking up and sending of emails in multiple "chunks." Special commands are used by Exim to break down, handle, and reconstruct chunks. It is a basic functionality of what Exim is routinely used for. [Editor's note: The second, less serious bug is described in CVE-2017-16944.]

It was found that Exim mishandles the BDAT commands that are part and parcel of the chunking operation. This is the vulnerability that would let an attacker execute their malicious code on the underlying server. BDAT handling errors also give rise to the second bug, which is a denial of service exploit that causes an infinite loop.

Now, there is no patch to fix this that has distributed as of this date. The blog states a workaround, but it is only for those that can modify the program internals.

The reason for no patch is rather interesting. The bug was distributed in the public section of their blog, so Exim was as surprised as the rest of us to see it happen. It went public first because there was no method given by Exim for bugs to be submitted privately. Exim didn't have the time to verify their workaround was a viable solution, so no patch yet.

Yes, they have now made a way for private bug submissions to happen, but the damage has been done. Anyone that wants to exploit the problem can see in detail how it can be attacked. Without a fix, everyone running the mailer is at risk.

So, running a mailer just became a major attack surface. It didn't have to be this way. Exim just had to realize bugs would happen and that they didn't want to publicize them.

It's not the first time techno-arrogance has had bad results.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41355
PUBLISHED: 2022-10-06
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /leave_system/classes/Master.php?f=delete_department.
CVE-2022-39284
PUBLISHED: 2022-10-06
CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vuln...
CVE-2022-39279
PUBLISHED: 2022-10-06
discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Versi...
CVE-2022-27810
PUBLISHED: 2022-10-06
It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript. This condition was only possible to trigger in dev-mode (when asserts were enabled). This issue affects Hermes versions prior to v0.12.0.
CVE-2022-41525
PUBLISHED: 2022-10-06
TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the OpModeCfg function at /cgi-bin/cstecgi.cgi.