Administrators of the popular open source Exim internet mail server have been warned to patch their installations once more, following the discovery of a string expansion bug that could be used for denial of service attacks and remote code execution.
Exim code maintainers have issued a patch in version 4.92.3 of the mail server, to fix a heap-based buffer overflow vulnerability.
A proof of concept has been published by Exim coder Jeremy Harris that shows how sending extended HELO (EHLO) commands with large amounts of data will trigger and crash a mail server.
Harris described the trivially exploitable bug as "a simple coding error, not growing a string by enough".
Exim versions 4.92, 4.92.1 and 4.92.2 are vulnerabile to the CVE-2019-16928 bug and should be upgraded to 4.92.3.
Shodan.io scans by iTnews found 50,531 vulnerable Exim version 4.92 servers on multiple networks in Australia, 97 running 4.92.1 and 215 version 4.92.2 variants; only 12 Exim installations running the patched version 4.92.3 were found.
Worldwide, Shodan.io found over 200,000 vulnerable Exim installations.
No known mitigation beyond updating the server software exists for the bug, which follows a serious vulnerability in June this year that saw millions of Exim systems being attacked.
Chinese researchers QAX A-Team which is connected to the Qi An Xin Group security vendor are credited with finding the bug.
