{"vuid":"VU#672565","idnumber":"672565","name":"Exim fails to properly handle trailing backslashes in string_interpret_escape()","keywords":["Exim","TLS","CVE-2019-15846","tls_sni","tls_peerdn"],"overview":"Exim versions up to and including 4.92.1 do not properly handle trailing backslash characters in the string_interpret_escape() function. This function is used to handle peer distinguished names (DN) and Sever Name Indication (SNI) during a TLS negotiation. This vulnerability could allow a local or remote unauthenticated attacker to execute arbitrary code with root privileges.","clean_desc":"Exim is a message transfer agent(MTA)that can be used on Unix-like operating systems. All versions up to and including 4.92.1 of Exim do not properly handle trailing backslash characters in the string_interpret_escape()function,which is used to process peer DN and SNI during a TLS negotiation. In cases where the string being processed ends with a '\\' character,the vulnerable string_interpret_escape()function will interpret the string-terminating null byte as a value to be escaped,thus incrementing the string pointer to the byte after the string to be processed. If the attacker-provided data is crafted in a certain way,this out-of-bounds pointer can be leveraged to cause a heap overflow. Exim installations configured to allow TLS connections,which can happen either via the SMTP STARTTLS command or via TLS-on-connect,can process attacker-provided data in the TLS SNI information. Exim installations that are configured to process client-provided certificates may also be exploitable via a crafted TLS peer DN.","impact":"By causing a vulnerable Exim server to process an SMTP email message, a local or remote unauthenticated attacker may be able to execute arbitrary code with root privileges.","resolution":"Apply an update\nThis vulnerability is addressed in Exim 4.92.2. For further information see the Exim advisory for CVE-2019-15846.","workarounds":"Use ACLs to block attack attempts\nThe Exim advisory provides ACLs to deny email messages with trailing backslashes in TLS SNI or peer DN fields: # to be prepended to your mail acl (the ACL referenced\n# by the acl_smtp_mail main config option)\ndeny    condition = ${if eq{\\\\}{${substr{-1}{1}{$tls_in_sni}}}}\ndeny    condition = ${if eq{\\\\}{${substr{-1}{1}{$tls_in_peerdn}}}}","sysaffected":"","thanks":"Thanks to Zerons for the initial report to Exim and to Qualys for providing additional analysis.","author":"This document was written by Will Dormann, Laurie Tyzenhaus and Madison Oliver.","public":["https://www.exim.org/static/doc/security/CVE-2019-15846.txt","https://ftp.exim.org/pub/exim/exim4/","https://github.com/Exim/exim.git","https://usn.ubuntu.com/4124-1/","https://github.com/Exim/exim/tree/exim-4.92.2%2Bfixes/doc/doc-txt/cve-2019-15846","https://git.exim.org/exim.git/commit/2600301ba6dbac5c9d640c87007a07ee6dcea1f4","https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-are-currently-being-attacked/","https://www.bleepingcomputer.com/news/security/critical-exim-tls-flaw-lets-attackers-remotely-execute-commands-as-root/"],"cveids":["CVE-2019-15846"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2019-09-06T15:03:09Z","publicdate":"2019-09-06T00:00:00Z","datefirstpublished":"2019-09-06T17:34:30Z","dateupdated":"2019-09-18T15:15:32Z","revision":88,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"4","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"7.8","cvss_environmentalscore":"5.86926702432","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}