Vulnerability CVE-2019-15846


Published: 2019-09-06

Description:
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: Debian
Product: Debian linux 
Version:
9.0
8.0
10
Vendor: EXIM
Product: EXIM 
Version:
4.92.1
4.92
4.91
4.90.1
4.90.0.27
4.90.0.22
4.90
4.89.1
4.89
4.88
4.87.1
4.87
4.86.1
4.86
4.85.2
4.85.1
4.85
4.82.1
4.82
4.80.1
4.80
4.77
4.76
4.75
4.74
4.73
4.72
4.71
4.70
4.69
4.68
4.67
4.66
4.65
4.64
4.63
4.62
4.61
4.60
4.54
4.53
4.52
4.51
4.50
4.44
4.43
4.42
4.41
4.40
4.34
4.33
4.32
4.31
4.30
4.24
4.23
4.22
4.21
4.20
4.14
4.12
4.11
4.10
4.05
4.04
4.03
4.02
4.01
4.00
3.36
3.35
3.34
3.33
3.32
3.31
3.30
3.22
3.21
3.20
3.16
3.15
3.14
3.13
3.12
3.11
3.10
3.03
3.02
3.01
3.00
2.12
2.11
2.10

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://exim.org/static/doc/security/CVE-2019-15846.txt
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00024.html
http://www.openwall.com/lists/oss-security/2019/09/06/2
http://www.openwall.com/lists/oss-security/2019/09/06/4
http://www.openwall.com/lists/oss-security/2019/09/06/5
http://www.openwall.com/lists/oss-security/2019/09/06/6
http://www.openwall.com/lists/oss-security/2019/09/06/8
http://www.openwall.com/lists/oss-security/2019/09/07/1
http://www.openwall.com/lists/oss-security/2019/09/07/2
http://www.openwall.com/lists/oss-security/2019/09/08/1
http://www.openwall.com/lists/oss-security/2019/09/09/1
https://lists.debian.org/debian-lts-announce/2019/09/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FT3GY7V7SR2RHKNZNQCGXFWUSILVSZNU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDF37AUNETIOXY6ZLQAUBGBVUTMMV242/
https://seclists.org/bugtraq/2019/Sep/13
https://security.gentoo.org/glsa/201909-06
https://usn.ubuntu.com/4124-1/
https://www.debian.org/security/2019/dsa-4517
https://www.kb.cert.org/vuls/id/672565
https://www.openwall.com/lists/oss-security/2019/09/06/1

Related CVE
CVE-2019-16928
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
CVE-2019-13917
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).
CVE-2019-10149
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
CVE-2018-6789
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
CVE-2017-16944
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character sig...
CVE-2017-16943
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
CVE-2017-1000369
Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note...
CVE-2016-9963
Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages.

Copyright 2019, cxsecurity.com

 

Back to Top