Critical hole in the Exim Mail server closed

A missing format specification in a logging function of the free Mail Transfer Agent Exim has been identified by the developers as offering an attacker a chance to execute arbitrary code on the server. The particular line of code wrote a string directly to the logfile. An attacker could exploit this by adding particular formatting instructions into the DKIM information string in an incoming email which would allow them to inject their own code and run it with the rights of the mail server. Although no exploit is known to exist, the developers believe that an experienced attacker would not find an exploit hard to construct.

The bug was found in the dkim_exim_verify_finish() function which was called as part of handling DKIM (DomainKeys Identified Mail) on incoming messages. The bug affects all 4.7x versions prior to 4.76 RC1 – DKIM support was introduced in version 4.70.

Distributions that use the Exim mail server as default MTA, such as Debian and Ubuntu Linux, should be updated or patched as soon as possible. For Debian, a patched package is available for Debian Squeeze (stable) and Sid (unstable); it does not affect Debian Lenny as this did not ship an Exim with DKIM support. If updating is not possible, then users can apply a patch directly to the 4.75 sources: instructions are included in the 4.76 RC1 announcement. The 4.76 RC1 release is expected to be available as a final version of 4.76 by Monday and a change log is available detailing other non-security bug fixes in the new version.

Correction: The article previously listed Ubuntu as a distribution which used Exim as default MTA. It previously used Exim but switched some years ago to Postfix.

(djwm)