Exim developers have released patches for three of the zero-days disclosed last week through Trend Micro’s Zero Day Initiative (ZDI), one of them allowing unauthenticated attackers to gain remote code execution.
Discovered by an anonymous security researcher, the security flaw (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service and can be exploited by remote unauthenticated attackers to execute code in the context of the service account.
“The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer,” ZDI’s advisory explains.
“Fix a possible OOB write in the external authenticator, which could be triggered by externally-supplied input,” the Exim development team says in the changelog of version 4.96.1, released today.
Today, the Exim team also patched an RCE bug (CVE-2023-42114) and an information disclosure vulnerability (CVE-2023-42116).