Overview
Exim before 4.90.1 contains a critical buffer overflow vulnerability in the base64d function of the SMTP listener. A remote attacker can exploit this vulnerability by sending a specially crafted email message to execute arbitrary code on the affected system. This is a pre-authentication vulnerability that can be triggered without valid Exim credentials. The vulnerability was disclosed on February 8, 2018. CISA has identified CVE-2018-6789 as being exploited and is known to be used in ransomware campaigns.
Technical details
The vulnerability exists in the base64d function which is responsible for decoding base64-encoded data in SMTP messages. The function fails to properly validate input length before writing to a buffer, resulting in a stack-based buffer overflow. An attacker can craft a malicious base64-encoded payload that, when decoded by the vulnerable function, overwrites the stack and allows arbitrary code execution with the privileges of the Exim process (typically the mail system user).
The vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) andCWE-131 (Incorrect Calculation of Buffer Size) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
A remote attacker can execute arbitrary code with the privileges of the Exim mail server process. This typically allows the attacker to take full control of the mail server, access sensitive email data, modify mail routing, send spam, or use the compromised server as a pivot point for further attacks on the organization's network. The impact is severe as mail servers are typically located in trusted network positions.
Mitigation and workarounds
Upgrade Exim to version 4.90.1 or later. The fix involves proper bounds checking in the base64d function to ensure decoded output does not exceed buffer size. Apply the following: 1) Update Exim package from distribution repositories or official Exim sources. 2) Stop the Exim service. 3) Install the patched version. 4) Restart the Exim service. 5) Verify the running version with 'exim -bV'. The following versions include the necessary fixes: 4.90.1, 4.89.1 (for users on the 4.89 branch).
As temporary workarounds: disable smtp service if not required and use alternative mail transfer mechanisms; implement firewall rules to restrict smtp access (port 25) to trusted ip addresses only; run exim in a restricted environment (chroot jail, container, or virtual machine) to limit the scope of code execution, and deploy network-level intrusion detection to identify exploitation attempts.
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
