Executive Summary

This vulnerability exists in Exim versions before 4.99.2 on systems that use musl libc instead of glibc. It occurs when malformed DNS data is present in PTR records, causing a crash in the connection instance. The root cause is related to an oddity in the dn_expand function's handling of octal printing.

Useful 0 Not Useful 0

Impact Analysis

An attacker can exploit this vulnerability to crash the connection instance of Exim, leading to a denial of service. This means that the mail server could become unavailable or unstable when processing certain DNS PTR records with malformed data.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when Exim is built or run using musl libc and a malformed PTR DNS record causes a remote-triggered crash. Detection involves verifying the Exim build environment and monitoring for crashes triggered by DNS PTR queries.

You can check if Exim is using musl libc by running commands such as:

• ldd --version (to check the libc implementation)
• strings $(which exim) | grep musl (to check for musl references in the binary)

To detect exploitation attempts, monitor Exim logs for crashes or unusual DNS PTR queries, and use network monitoring tools to capture DNS traffic with malformed PTR records.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Verify if your Exim installation is built with musl libc.
• If so, upgrade Exim to version 4.99.2 or later where the vulnerability is fixed.
• If upgrading immediately is not possible, consider restricting or filtering DNS PTR queries to prevent malformed records from reaching the Exim server.
• Monitor Exim logs and system stability to detect and respond to any crash attempts.

Useful 0 Not Useful 0