Ubuntu update for exim4

1) Heap-based buffer overflow

EUVDB-ID: #VU66691

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-37452

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error for the alias list within the host_name_lookup() function in host.c when the sender_host_name is set. A remote attacker can initiate a connection to the affected server, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package exim4 to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.04

exim4-daemon-light (Ubuntu package): before 4.93-13ubuntu1.6

exim4-daemon-heavy (Ubuntu package): before 4.93-13ubuntu1.6

exim4-base (Ubuntu package): before 4.93-13ubuntu1.6

External links

http://ubuntu.com/security/notices/USN-5574-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.