Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Exim Buffer Overflow RCE Vulnerability (CVE-2018-6789) – What You Need to Know

On February 10, the Unix-based email server Exim released an update to address a heap buffer overflow vulnerability that can be used by an unauthenticated attacker to remotely execute arbitrary code. The flaw, assigned CVE-2018-6789, is noted to exist in all versions of Exim, prior to their latest release, 4.90.1, which means the attack surface potential is very wide. A quick search on Shodan yields more than 6 million results.

Vulnerability details

The vulnerability was originally discovered by DEVCORE, and details were published on their blog on March 6. The vulnerability is due to a flaw in the b64decode buffer length in the base64d() function. Due to an off-by-one calculation mistake, heap memory can be overwritten when parsing an invalid base64 string leading to critical data being overwritten.

As base64 decoding is a widely used function, and since the byte is user-controlled, this increases the ease of exploitation, which can be utilized for remote code execution.

Identifying affected systems

To detect systems affected by this critical flaw, Tenable has released Nessus® plugins for Tenable.io Vulnerability Management, SecurityCenter and Nessus Pro. Additionally, Tenable has released passive detection via Nessus Network Monitor, which may be used with Tenable.io Vulnerability Management to detect the vulnerability passively on the network. Tenable.io Container Security has also been updated to detect the Exim off-by-one RCE vulnerability in Docker container images. The following table summarizes Tenable's coverage.

Plugin ID



Exim < 4.90.1 Buffer Overflow RCE Vulnerability

700223 (Nessus Network Monitor)

Exim < 4.90.1 Remote Code Execution


Debian DLA-1274-1 : exim4 security update


Debian DSA-4110-1 : exim4 - security update


Fedora 26 : exim (2018-25a7ba3cb6)


Fedora 27 : exim (2018-5aec14e125)


FreeBSD : exim -- a buffer overflow vulnerability, remote code execution (316b3c3e-0e98-11e8-8d41-97657151f8c2)


openSUSE Security Update : exim (openSUSE-2018-170)


Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : exim4 vulnerability (USN-3565-1)


GLSA-201803-01 : Exim: Multiple vulnerabilities

What should you do?

If you’re running a version of Exim prior to 4.90.1, make sure you update to the most current release. Exim notes that all versions of Exim prior to 4.90.1 are now obsolete and that 3.x releases are also obsolete and should not be used.

Get more information

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.