[CDP-development] TLP:GREEN (Zero Day Alert Notification): A Vulnerability in EXIM Could Allow for Arbitrary Code Execution

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Mon Oct 2 15:50:08 PDT 2023 

Good afternoon,

The SOC Services team is reporting on the vulnerability: MS-ISAC ADVISORY NUMBER: A Vulnerability in EXIM Could Allow for Arbitrary Code Execution. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On September 29, 2023, CISA issued a MS-ISAC advisory about CVE-2023-42115, a vulnerability that could allow for arbitrary code execution in the Exim mail transfer agent.

Vulnerable versions:

  *   All versions prior to 4.96.1
Fixed versions:

  *   4.96.1
  *   4.97

Intelligence:  As of October 2, 2023, the vulnerability has not been confirmed as being exploited in the wild.

Workarounds: "External" authentication scheme configured and available is required for the exploit to be possible. Mitigation: Do not offer EXTERNAL authentication.

How it works: The flaw exists within the smtp service, which listens on TCP port 25 by default. The vulnerability results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer.

Post-Exploit: Upon successful exploitation of the vulnerability, an attacker can leverage this vulnerability to execute code in the context of the service account.

As of October 2, 2023, Tenable has not released a plugin for this vulnerability and does not have a plugin in the pipeline.
Recommended Actions:


  *   Disable external authentication.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231002/86f0643f/attachment.html>

More information about the CDP-development mailing list