ASA-2019-00534 – Exim: Buffer overflow by sending a SNI ending in a backslash-null sequence during the initial TLS handshake

Allele Security Alert

ASA-2019-00534

Identifier(s)

ASA-2019-00534, CVE-2019-15846

Title

Buffer overflow by sending a SNI ending in a backslash-null sequence during the initial TLS handshake

Vendor(s)

The Exim Project

Product(s)

Exim

Affected version(s)

Exim versions up to and including 4.92.1

Fixed version(s)

Exim version 4.92.2

Proof of concept

Yes

Description

The SMTP Delivery process in all versions up to and  including Exim 4.92.1 has a buffer overflow. In the default runtime configuration, this is exploitable with crafted Server Name Indication (SNI) data during a TLS negotiation. In other configurations, it is exploitable with a crafted client TLS certificate.

A local or remote attacker can execute programs with root privileges. The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake.

Technical details

Unknown

Credits

Zerons

Reference(s)

CVE-2019-15846.txt
https://exim.org/static/doc/security/CVE-2019-15846.txt

CVE-2019-15846: Exim – local or remote attacker can execute programs
with root privileges.
https://www.openwall.com/lists/oss-security/2019/09/04/1

string.c: do not interpret ‘\’ before ‘\0’ (CVE-2019-15846)
https://git.exim.org/exim.git/commit/2600301ba6dbac5c9d640c87007a07ee6dcea1f4

CVE-2019-15846 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15846.html

CVE-2019-15846
https://security-tracker.debian.org/tracker/CVE-2019-15846

CVE-2019-15846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15846

CVE-2019-15846
https://nvd.nist.gov/vuln/detail/CVE-2019-15846

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 9, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.