Exim Out-of-Bounds Read Vulnerability in UTF-8 Header Processing

A vulnerability allowing out-of-bounds read has been identified in Exim versions prior to 4.99.2. This issue occurs when UTF-8 operators are enabled and large trailing characters in UTF-8 headers are present, leading to the potential disclosure of heap data. The vulnerability arises from the ${from_utf8:} expansion operator, which, when fed malformed input, can read into the heap. If the extracted data is used in an SMTP rejection message, it could result in unauthorized information being leaked.

Impact

Exploitation of this vulnerability could lead to heap data exfiltration, with the possibility of the leaked data being used in SMTP rejection messages, thereby disclosing information to external parties.

Reproduction

To reproduce this vulnerability, configure Exim to use UTF-8 operations on externally-provided input. Then, send an email with a malformed UTF-8 header that includes large trailing characters. The out-of-bounds read can be observed if the server is set to generate error messages for subsequent emails in the same connection.

Remediation

Users can upgrade to Exim version 4.99.2, which addresses this vulnerability. This version is available as a tarball from the Exim FTP site or directly from the Exim Git repository.