Software Engineering Institute

Exim is a message transfer agent (MTA) that can be used on Unix-like operating systems. All versions up to and including 4.92.1 of Exim do not properly handle trailing backslash characters in the string_interpret_escape() function, which is used to process peer DN and SNI during a TLS negotiation. In cases where the string being processed ends with a '\' character, the vulnerable string_interpret_escape() function will interpret the string-terminating null byte as a value to be escaped, thus incrementing the string pointer to the byte after the string to be processed. If the attacker-provided data is crafted in a certain way, this out-of-bounds pointer can be leveraged to cause a heap overflow.

Exim installations configured to allow TLS connections, which can happen either via the SMTP STARTTLS command or via TLS-on-connect, can process attacker-provided data in the TLS SNI information. Exim installations that are configured to process client-provided certificates may also be exploitable via a crafted TLS peer DN.

By causing a vulnerable Exim server to process an SMTP email message, a local or remote unauthenticated attacker may be able to execute arbitrary code with root privileges.

Apply an update
This vulnerability is addressed in Exim 4.92.2. For further information see the Exim advisory for CVE-2019-15846.

Use ACLs to block attack attempts
The Exim advisory provides ACLs to deny email messages with trailing backslashes in TLS SNI or peer DN fields:

# to be prepended to your mail acl (the ACL referenced
# by the acl_smtp_mail main config option)
deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}