14 DAY TRIAL // Version 4.76 of the popular Exim message transfer agent (MTA) has been released as a security update in order to address a critical vulnerability that can allow attackers to execute arbitrary code remotely.
Exim is developed at the University of Cambridge for use on Unix systems. It is used as default MTA on Debian Linux and is commonly found together with the Mailman and cPanel software packages.
The flaw, identified as CVE-2011-1764, was reported by cybersecurity author and long-time spam fighter John R. Levine.
It can be classified as a format string vulnerability and consists of a misinterpretation of DKIM (DomainKeys Identified Mail) signatures due to an error in the dkim_exim_verify_finish() function.
"[...] A format string attack in logging DKIM information from an inbound mail may permit anyone who can send you email to cause code to be executed as the Exim run-time user.
"No exploit is known to exist, but we do not believe that an experienced attacker would find the exploit hard to construct," is explained in the official advisory.
French vulnerability research vendor VUPEN Security rates this vulnerability as critical so patching it as soon as possible is highly recommended.
According to the Debian corresponding advisory, Exim updates are available for both the stable (squeeze) and unstable (sid) distributions, as versions 4.72-6+squeeze1 and 4.75-3, respectively.
"The oldstable distribution (lenny) is not affected by this problem because it does not contain DKIM support," the Debian developers write. This is also the case for Red Hat Enterprise Linux 4 or 5.
A workaround is to add "control = dkim_disable_verify" to an ACL to prevent processing DKIM signatures. The patch can also be applied manually if, for some reason, upgrading to the new version is not possible.
The new Exim 4.76 also contains other fixes and improvements, including for two SIGSEGVs and one SIGFPE bugs. The buffer usage for the STARTTLS transition has also been strengthened and is deemed not vulnerable to a issue that affected many implementations.