Think you have a false positive on this rule?

Sid 1-47541

Message

SERVER-MAIL EHLO user overflow attempt

Summary

This event is generated when an attacker attempts to send an overly long EHLO SMTP message, used to exploit an off-by-one vulnerability present in the Exim mail transfer agent.

Impact

Attempted Administrator Privilege Gain

CVE-2018-6789:

CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Rule checks for overly long EHLO SMTP messages used to exploit an off-by-one vulnerability present in the Exim mail transfer agent. CVE-2018-6789: An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.

Affected systems

  • exim exim 2.10
  • exim exim 2.11
  • exim exim 2.12
  • exim exim 3.00
  • exim exim 3.01
  • exim exim 3.02
  • exim exim 3.03
  • exim exim 3.10
  • exim exim 3.11
  • exim exim 3.12
  • exim exim 3.13
  • exim exim 3.14
  • exim exim 3.15
  • exim exim 3.16
  • exim exim 3.20
  • exim exim 3.21
  • exim exim 3.22
  • exim exim 3.30
  • exim exim 3.31
  • exim exim 3.32
  • exim exim 3.33
  • exim exim 3.34
  • exim exim 3.35
  • exim exim 3.36
  • exim exim 4.00
  • exim exim 4.01
  • exim exim 4.02
  • exim exim 4.03
  • exim exim 4.04
  • exim exim 4.05
  • exim exim 4.10
  • exim exim 4.11
  • exim exim 4.12
  • exim exim 4.14
  • exim exim 4.20
  • exim exim 4.21
  • exim exim 4.22
  • exim exim 4.23
  • exim exim 4.24
  • exim exim 4.30
  • exim exim 4.31
  • exim exim 4.32
  • exim exim 4.33
  • exim exim 4.34
  • exim exim 4.40
  • exim exim 4.41
  • exim exim 4.42
  • exim exim 4.43
  • exim exim 4.44
  • exim exim 4.50
  • exim exim 4.51
  • exim exim 4.52
  • exim exim 4.53
  • exim exim 4.54
  • exim exim 4.60
  • exim exim 4.61
  • exim exim 4.62
  • exim exim 4.63
  • exim exim 4.64
  • exim exim 4.65
  • exim exim 4.66
  • exim exim 4.67
  • exim exim 4.68
  • exim exim 4.69
  • exim exim 4.70
  • exim exim 4.71
  • exim exim 4.72
  • exim exim 4.73
  • exim exim 4.74
  • exim exim 4.75
  • exim exim 4.76
  • exim exim 4.77
  • exim exim 4.80
  • exim exim 4.80.1
  • exim exim 4.82
  • exim exim 4.82.1
  • debian debian_linux 7.0
  • debian debian_linux 8.0
  • debian debian_linux 9.0

Ease of attack

Simple

False positives

Not known

False negatives

Not known

Corrective action

Update all affected products to their latest and non-vulnerable versions.

Contributors

  • Cisco's Talos Intelligence Group

Additional References