Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Exim, a mail transfer agent (MTA), is a common target because servers that run MTA software are often exposed to the internet. Exploiting vulnerabilities in Exim is challenging if Exim is securely configured or if an attacker only has remote access to the server. But an attacker can gain complete control of the device, providing an entry point for additional attacks on your network.
Kill Chain
Risk Score
88
Exim is an MTA that runs on Unix and Linux servers. Exim has a vulnerability that causes a buffer overflow, leading to remote code execution (RCE). To exploit this vulnerability, an attacker initiates a TLS handshake to establish a secure connection with the Exim server. During the TLS handshake, the attacker submits malicious data, which includes a Server Name Indication (SNI) that ends with a trailing backslash and a payload. The SNI and payload are written to the memory buffer, but the trailing backslash affects where a vulnerable Exim process begins to read and write data from the payload. As a result, the Exim process performs an out-of-bounds write. This type of buffer overflow enables malicious code within the payload to run on the server with root privileges.
