CVE-2022-37452: Exim heap-based buffer overflow vulnerability

CVE-2022-37452

A critical heap-based buffer overflow vulnerability has been discovered in the popular open-source Exim email server software, leaving at least over half a million email servers vulnerable to remote hackers.

Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style, it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of Sendmail, although the configuration of Exim is quite different.

CVE-2022-37452

The flaw tracked as CVE-2022-37452, classified as critical, is a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.

The details of the CVE-2022-37452 vulnerability, along with proof-of-concept (PoC) code, were posted to the Github website on August 7.

The researcher writes: “To trigger the issue, we need to make Exim call host_name_lookup() with sender_host_name != NULL.
It is possible to do for instance, if we add global configuration entry, which is using ‘$sender_host_name’ variable. host_name_lookup() will be called twice – first when Exim tries to expand $sender_host_name, second in smtp_start_session() (smtp_in.c).”

The security flaw was introduced with the release of Exim 4.93. However, versions 4.92, 4.92.1, and 4.92.2 are known to be vulnerable. Exim addressed the vulnerability with the release of versions 4.95 and 4.96 of the server.

The second flaw is tracked as CVE-2022-37451, which affects Exim before 4.96. There is an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc. The PoC is available here.

Exim is one of the most widely used mail servers and Shodan shows nearly 4 million instances, a majority in the United States. This makes Exim a tempting target for malicious actors.

Server administrators are highly recommended to install the latest Exim 4.96 version immediately.