CVE-2023-42119: 
Exim vulnerability analysis and mitigation

CVE-2023-42119 is an out-of-bounds read information disclosure vulnerability in Exim's SMTP service. The vulnerability was discovered in June 2022 and publicly disclosed on September 27, 2023. The flaw exists within the SMTP service, which listens on TCP port 25 by default, and affects installations of Exim mail transfer agent (ZDI Advisory).

The vulnerability stems from the lack of proper validation of user-supplied data in the SMTP service, which can result in a read past the end of an allocated buffer. The issue has been assigned a CVSS v3.0 base score of 3.1 (LOW) with the vector string CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (ZDI Advisory, Red Hat).

The vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Exim without requiring authentication. An attacker could potentially leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account (ZDI Advisory).

Given the nature of the vulnerability, the primary mitigation strategy is to restrict interaction with the application and use Exim with a trustworthy DNS resolver able to validate the data according to the DNS record types (Debian Security Tracker, ZDI Advisory).

Security researchers have characterized this vulnerability as one of several issues discovered in Exim, noting that while it requires specific conditions to be exploitable, organizations should still apply patches when available. The vulnerability was initially reported in June 2022 but remained unpatched for over a year before public disclosure (Watchtowr Labs).