The bug allows for remote code execution
A Taiwanese security researcher named Meh Chang discovered the bug, which he reported to the Exim crew on February 2. The Exim team released Exim distribution 4.90.1 on February 10 that fixes the RCE issue.
The bug —tracked as CVE-2018-6789— is categorized as a "pre-auth remote code execution," meaning an attacker could trick the Exim email server into running malicious commands before the attacker would need to authenticate on the server.
The actual bug is a one-byte buffer overflow in the base64 decode function of Exim and affects all Exim versions ever released.
Chang described the bug in a blog post released earlier today, detailing basic steps for exploiting Exim's SMTP daemon.
No PoC or exploit code available... yet
In a security advisory, the Exim team publicly acknowledged the issue. "Currently we're unsure about the severity, we *believe*, an exploit is difficult. A mitigation isn't known," the Exim team said.
Since Exim 4.90.1's release, updated Exim versions have trickled down to Linux distros used primarily in data centers, but the question remains about the number of unpatched systems that remain online. Taking into account that Exim is by far the most popular mail agent, CVE-2018-6789 opens a large attack surface, and Exim server owners should look into deploying the Exim 4.90.1 update as soon as possible.
At the time of writing, there is no public exploit code for taking advantage of vulnerable Exim servers, but this will likely change in the days following Chang's blog post.
Chang also discovered two other Exim bugs last year, which also led to remote code execution. Those bugs were patched in Exim 4.90."