CVE-2023-42119 Overview
CVE-2023-42119 is an out-of-bounds read vulnerability [CWE-125] in the Exim mail transfer agent. The flaw resides in the dnsdb lookup component used by the SMTP service that listens on TCP port 25. Network-adjacent attackers can exploit the issue without authentication to disclose sensitive memory contents from the Exim process. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-17643 and published as ZDI-23-1473.
Critical Impact
Unauthenticated network-adjacent attackers can read memory beyond an allocated buffer in the Exim SMTP service and chain this primitive with other vulnerabilities to execute arbitrary code in the context of the service account.
Affected Products
- Exim mail transfer agent (all versions prior to the fixed release)
- Debian LTS distributions packaging vulnerable Exim builds
- Linux mail server deployments exposing Exim SMTP on TCP/25
Discovery Timeline
- 2024-05-03 - CVE-2023-42119 published to the National Vulnerability Database
- 2024-10 - Debian LTS issues security announcement for affected Exim packages
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2023-42119
Vulnerability Analysis
The vulnerability exists in the dnsdb lookup mechanism inside the Exim SMTP service. Exim processes attacker-influenced DNS data without correctly validating buffer boundaries before reading from memory. As a result, the parser reads past the end of an allocated heap buffer.
The primitive yields information disclosure on its own. Attackers can combine the leaked memory contents with a separate memory corruption flaw to defeat address space layout randomization and achieve arbitrary code execution as the Exim service user. The vulnerability is classified under [CWE-125] Out-of-Bounds Read.
The issue carries an EPSS probability of 0.731% at the 72.869 percentile, indicating moderate community interest relative to other published CVEs. No public proof-of-concept has been observed, and CISA has not added the CVE to the Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is missing or insufficient bounds validation on user-supplied data processed by the dnsdb lookup. Exim trusts size or length metadata derived from network input when computing read offsets, allowing reads to extend past the allocated buffer boundary into adjacent heap memory.
Attack Vector
Exploitation requires network adjacency to a host running a vulnerable Exim instance with SMTP exposed on TCP port 25. The attacker connects to the SMTP service and submits crafted input that triggers a dnsdb lookup, causing the out-of-bounds read. Authentication is not required. Successful exploitation returns memory contents that can include credentials, configuration data, or pointers useful for chaining with a second vulnerability.
No verified public exploit code is available. Refer to the Zero Day Initiative Advisory ZDI-23-1473 for additional technical context.
Detection Methods for CVE-2023-42119
Indicators of Compromise
- Unexpected SMTP sessions originating from adjacent network segments targeting TCP/25 on Exim hosts.
- Exim process crashes, segmentation faults, or abnormal restarts recorded in mainlog or paniclog.
- Anomalous dnsdb lookup activity or malformed DNS-style query strings in Exim logs.
Detection Strategies
- Inspect Exim logs in /var/log/exim4/ or /var/spool/exim/log/ for repeated parser errors and abnormal termination events.
- Deploy network intrusion detection signatures targeting malformed SMTP payloads that invoke dnsdb lookups.
- Correlate SMTP connection patterns with process telemetry to identify probing followed by crashes.
Monitoring Recommendations
- Forward Exim logs and host telemetry to a centralized SIEM for correlation against SMTP traffic.
- Baseline normal SMTP connection volume and alert on bursts from internal or adjacent network ranges.
- Monitor for Exim worker processes consuming unusual memory or terminating unexpectedly.
How to Mitigate CVE-2023-42119
Immediate Actions Required
- Apply vendor-supplied Exim updates from your distribution maintainer without delay.
- Restrict TCP/25 access to trusted networks using host or perimeter firewall rules.
- Audit Exim configuration for unnecessary use of dnsdb lookups in ACLs and routers.
Patch Information
Debian LTS issued package updates documented in the Debian LTS Security Announcement. Administrators running upstream Exim should upgrade to the fixed release referenced in the Zero Day Initiative Advisory ZDI-23-1473. Verify package versions after upgrade with exim -bV and confirm the running binary matches the patched build.
Workarounds
- Disable or remove dnsdb lookups from Exim configuration files where operationally feasible.
- Limit inbound SMTP exposure to authenticated relays or trusted upstream mail gateways.
- Run Exim under a least-privilege service account with mandatory access controls such as AppArmor or SELinux.
# Verify installed Exim version and confirm patched build
exim -bV
# Restrict SMTP exposure with iptables to a trusted CIDR
iptables -A INPUT -p tcp --dport 25 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP
# Search Exim configuration for dnsdb usage
grep -RIn 'dnsdb' /etc/exim4/ /etc/exim/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
