SERVER-MAIL -- Snort has detected traffic exploiting vulnerabilities in mail servers (such as Exchange, Courrier). These are different from protocol traffic, as this deals with the traffic going to the mail server itself.
SERVER-MAIL EHLO user overflow attempt
This event is generated when an attacker attempts to send an overly long EHLO SMTP message, used to exploit an off-by-one vulnerability present in the Exim mail transfer agent.
Attempted Administrator Privilege Gain
Rule checks for overly long EHLO SMTP messages used to exploit an off-by-one vulnerability present in the Exim mail transfer agent.
Ease of Attack:
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2018-6789An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
||Ease of Access||
CVE-2019-16928Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
||Ease of Access||LOW