Check Point Advisories

Exim MTA string_format Remote Code Execution (CVE-2010-4344)

Vulnerability
Protection

Check Point Reference:	CPAI-2010-348
Date Published:	22 Dec 2010
Severity:	Critical
Last Updated:	Sunday 14 February, 2016
Source:
Industry Reference:	CVE-2010-4344
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70
Who is Vulnerable?
Vulnerability Description	The Exim mail server is a full featured mail transfer agent (MTA) used in Unix-like platforms. It contains implementations of SMTP server for incoming messages as well ,as a SMTP or LMTP client for incoming email. A heap buffer overflow vulnerability has been reported in Exim Mail Transfer Agent (MTA). TThe vulnerability is due to a buffer overflow in the Exim MTA that fails to properly handle malformed email headers. A remote attacker may exploit this issue to execute arbitrary code on an Exim server by sending a specially crafted email to the vulnerable server. Successful exploitation of this vulnerability would allow the attacker to execute code within the security context of the affected server.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70

In the IPS tab, click Protections and find the Exim MTA string_format Remote Code Execution protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: SMTP Protection Violation.
Attack Information: Exim MTA string_format remote code execution