Vulnerability Overview
A critical security flaw in the widely used Exim mail server allows unauthenticated attackers to execute arbitrary code remotely. Discovered by Federico Kirschbaum, head of the Security Lab at XBOW, the issue has been named Dead.Letter. The vulnerability is based on a use after free memory corruption error in the binary data transmission message body parsing logic. It occurs when Exim uses the GnuTLS library to handle TLS connections.
Attack Method and Impact
The exploit requires no special user interaction or configuration. An attacker can trigger the flaw by sending a TLS close notification alert before binary data transfer finishes, followed by a final cleartext byte on the same TCP connection. This sequence causes Exim to write into a memory buffer that has already been freed. By corrupting a single byte of heap memory, attackers can escalate privileges and achieve full remote code execution on exposed servers.
Patch Advice
The vulnerability affects Exim versions 4.97 through 4.99.2 compiled with the GnuTLS library. Builds using OpenSSL are not impacted. Organizations running affected Exim versions should apply the official patch immediately. The attack requires only a secure connection and the SMTP chunking extension, both enabled by default on modern deployments, making prompt action critical.
Source: Cyber Security News
