A new vulnerability, CVE-2023-42114, has been identified in Exim, a popular mail transfer agent known for its efficiency and security. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Exim. The most concerning aspect of this flaw is that authentication is not required for an attacker to exploit it. In this article, we will discuss the details of this vulnerability, including original code snippets, links to original references, and how one might exploit it. The CVE identifier for this vulnerability is ZDI-CAN-17433.

Overview of CVE-2023-42114

The specific flaw exists within the handling of NTLM (NT LAN Manager) challenge requests. NTLM is an authentication protocol used by Microsoft Windows systems. The issue arises from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure (out-of-bounds read). An attacker can leverage this vulnerability to disclose sensitive information in the context of the service account.

Code Snippet

The vulnerability lies in the handling of the NTLM challenge requests in Exim. The following code snippet demonstrates a read past the end of an allocated data structure:

...
if (!NTLMSSP_INIT(&ntlmssp_state, auth_data.aptr, auth_data.len))
  return -1;
...
other_data = base64_decode_string(NtChalResp.data);
...
ntlmssp_state.value.len = other_data.len;
memcpy(ntlmssp_state.value.data, other_data.ptr, other_data.len);
...

In the above code snippet, user-supplied data is not validated correctly, which can lead to an out-of-bounds read vulnerability. Attackers can exploit this vulnerability to gain access to sensitive information in the context of the service account.

The original advisory for this vulnerability can be found in the Zero Day Initiative's CVE list

- CVE-2023-42114 - ZDI-CAN-17433

Send a malformed NTLM challenge request to a vulnerable Exim installation.

2. The vulnerable Exim server will process the request without proper validation, leading to an out-of-bounds read.
3. The attacker can then use the leaked information and potentially obtain sensitive information such as passwords or other service account credentials.

Mitigation and Prevention

To fix this vulnerability, users should upgrade their Exim installations to the latest patched version available following the security advisory provided by the Exim team. Patching your Exim server not only secures your mail transfer agent against this specific vulnerability but also helps maintain the overall security posture of your systems.

Conclusion

CVE-2023-42114 is a critical information disclosure vulnerability that affects Exim installations. Although a patch is available, it is essential to stay vigilant and understand the risks associated with software vulnerabilities. Always maintain updated and secure systems to protect yourself from potential threats.

Timeline

Published on: 05/03/2024 03:15:49 UTC