Hello, welcome to the Wednesday, March 7th, 2018 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

About a month ago, Critical War on Ability was patched in the Exim Mail Server.

This is not often the default mail server in my experience, but it is available

for many different distributions as a simple install from packages. A quick look at Shodan shows

about 6.3 million exposed installs. And of course, mail servers, you want them to be exposed

to the internet. Now, when this patch was originally released, it wasn't really given a lot of

attention given that it was only a one-byte buffer overflow. So the attack already here only has one byte to play with, but it isn't unheard-off to actually

use a one-byte buffer overflow to actually then execute meaningful malicious code.

Well, and what changed today is, and the reason I'm mentioning this is that there is now

a detailed blog post showing you how to write and exploit for this specific vulnerability.

So with that, it's pretty much open season on unpatched XIM servers.

Make sure that you address this flaw. Again if you install

from packages it should already be part of your distribution and it should be a

pretty straightforward update. Other mitigation techniques are tricky here. The

flaw is in the base 64 decode function and well an awful lot of

different data is base 64 encoded in email. So this is exploitable via a wide range of commonly used

SMTP functions like for example e-Hello mail mail from, receipt to and off. And if following the

February patched use the updates from Microsoft, you had some problems with USB devices. In particular,

the ones that are sort of built in to your system like laptop cameras, then Microsoft has another patch for you.

Apparently the problem here is that the Windows update skips installing the newer version

of some critical drivers according to Microsoft and that causes then these devices to fail.

...