During our recently completed penetration tests, we noticed a large number of servers vulnerable to the CVE-2018-6789 (Exim Off-by-one RCE).
This vulnerability was reported by a security researcher on 5 February, 2018. On the 10 of February 2018 (http://seclists.org/oss-sec/2018/q1/145) the Exim released an update 4.90.1 which fixed the CVE-2018-6789.
According to the https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/ – the CVE-2018-6789 is “is a calculation mistake of decode buffer length in b64decode function:
“b64decode(const uschar *code, uschar **ptr)
int x, y;
uschar *result = store_get(3*(Ustrlen(code)/4) + 1);
*ptr = result;
// perform decoding
“As shown above, Exim allocates a buffer of 3*(len/4)+1 bytes to store decoded base64 data. However, when the input is not a valid base64 string, and the length is 4n+3, Exim allocates 3n+1 but consumes 3n+2 bytes while decoding. This causes one-byte heap overflow (aka off-by-one).
Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length. Also, this byte is controllable, which makes exploitation more feasible.
Base64 decoding is such a fundamental function, and therefore this bug can be triggered easily, causing remote code execution.”
We reported to our clients that an update must take place as soon as possible, but the reply was outstanding.
None of the cPanel users won’t be able to update to the version 4.90.1 because of the cPanel rules.
The cPanel is doing automatic updates as soon as they become available but not before cPanel team issues them.
It seems that the cPanel engineers forgot about the Exim vulnerability and now all the cPanel users and servers are at risk.
Making an in-depth investigation in this case together with @Bank_Security security researcher we found out that even the update does not appear on the Exim git (https://github.com/Exim/exim/releases).
One of our clients submitted a support inquiry to cPanel asking about the release of the update, and the response was utterly extraordinary: “The update can’t be done, individual, it will be released to all of our customers as soon as it becomes available.”
Top of the iceberg also comes from cPanel which removed the ability of the system administrators to update the manually any part of services without waiting for the automatic update of the cPanel.
So until now millions of servers are at risk. Hopefully, cPanel will act more quickly in future.
Users who want to manually update the Exim can try download and apply the update from ftp://ftp.exim.org/pub/exim/exim4/
Timeline of the bug report according to devco.re
* 2018-02-05 Report from Meh Chang <[email protected]> via exim-security mailing list
* 2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko)
* 2018-02-07 Announcement to the public via exim-users, exim-maintainers
mailing lists and on oss-security mailing list
* 2018-02-08 16:50 Grant restricted access to the security repo for
* 2018-02-09 One distro breaks the embargo
* 2018-02-10 18:00 Grant public access to the our official git repo.