On Friday the 24th of November a remote code execution vulnerability has been reported for Exim, a popular mail transfer agent for Unix-like platforms. The vulnerability has been found in the SMTP extension chunking (ESMTP CHUNKING), which has been introduced in Exim 4.88. It allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
The workaround for Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) is to add the following parameter in the main section of the Exim configuration:
We have many DirectAdmin servers running Exim 4.88 (or newer) which required this workaround. For various reasons we couldn’t simply update the existing exim.conf using DirectAdmin’s update scripts. To apply the workaround on hundreds of servers (with different exim.conf versions) we used the following Ansible playbook: