Security researchers found 21 flaws in this widely used email server, so update immediately

Newly disclosed Exim mail server bugs can be remotely exploited to allow attackers to gain complete root privileges.

The maintainers of the widely-used Exim email server are urging admins to update to Exim version 4.94.2 due to 21 newly disclosed security flaws. 

"All versions of Exim previous to version 4.94.2 are now obsolete. The last 3.x release was 3.36. It is obsolete and should not be used," the University of Cambridge-backed project said in an update

"This is a security release," the project adds, referring to fixes for 21 flaws that can be exploited by anyone over the internet. 

SEE: Network security policy (TechRepublic Premium)

The new Exim release addresses security flaws reported by researchers at security firm, Qualys.   

The bugs are a potentially major threat to internet security given that nearly 60% of internet servers run on Exim mail transfer agent (MTA) software and is by far the most widely used email server. As Qualys points out, IoT search engine Shodan returns 3.8 million results for Exim servers exposed on the internet, of which two million are located in the US. 

Exim is so widely deployed in part because it often ships as the default email server with popular Linux distributions like Debian.  

"Exim Mail Servers are used so widely and handle such a large volume of the internet's traffic that they are often a key target for hackers," said Bharat Jogi, a senior manager of the vulnerability and threat research unit at Qualys.  

"The 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system – allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts, and change sensitive settings on the mail servers."

Jogi urged admins — many of whom run Exim servers at ISPs, government agencies, and universities — to apply the patches "immediately" given the breadth of the attack surface for this vulnerability.

Such flaws have been rapidly exploited in the past: a previous remote code execution flaw in Exim that was patched in mid-2019 was also discovered by researchers at Qualys. 

The NSA eventually revealed that attackers had been exploiting the flaw, tracked as CVE-2019-10149, within two months of its public disclosure.  

The NSA warned in June 2020 that a hacking group known as Sandworm, within Russia's intelligence service, GRU, had been exploiting the Exim flaw since at least August 2019. That bug's impact is the same as the 21 newly disclosed vulnerabilities. 

The NSA said the attackers exploited the bug on victims' public-facing MTAs by sending a specially crafted command in the "MAIL FROM" field of an SMTP (Simple Mail Transfer Protocol) message. Victims would then automatically download and execute a shell script from a domain controlled by the Sandworm group.

SEE: This malware has been rewritten in the Rust programming language to make it harder to spot

MTAs are an attractive target for attackers because they're generally exposed on the internet. 

Qualys has posted a blog detailing each of the 21 bugs and says its researchers have developed exploits to obtain full root privileges. 

The company reported an initial set of bugs to Exim maintainers on 20 October, 2020 and provided 26 patches to Exim.  

CVE

Description

Type

CVE-2020-28007

Link attack in Exim's log directory

Local

CVE-2020-28008

Assorted attacks in Exim's spool directory

Local

CVE-2020-28014

Arbitrary file creation and clobbering

Local

CVE-2021-27216

Arbitrary file deletion

Local

CVE-2020-28011

Heap buffer overflow in queue_run()

Local

CVE-2020-28010

Heap out-of-bounds write in main()

Local

CVE-2020-28013

Heap buffer overflow in parse_fix_phrase()

Local

CVE-2020-28016

Heap out-of-bounds write in parse_fix_phrase()

Local

CVE-2020-28015

New-line injection into spool header file (local)

Local

CVE-2020-28012

Missing close-on-exec flag for privileged pipe

Local

CVE-2020-28009

Integer overflow in get_stdinput()

Local

CVE-2020-28017

Integer overflow in receive_add_recipient()

Remote

CVE-2020-28020

Integer overflow in receive_msg()

Remote

CVE-2020-28023

Out-of-bounds read in smtp_setup_msg()

Remote

CVE-2020-28021

New-line injection into spool header file (remote)

Remote

CVE-2020-28022

Heap out-of-bounds read and write in extract_option()

Remote

CVE-2020-28026

Line truncation and injection in spool_read_header()

Remote

CVE-2020-28019

Failure to reset function pointer after BDAT error

Remote

CVE-2020-28024

Heap buffer underflow in smtp_ungetc()

Remote

CVE-2020-28018

Use-after-free in tls-openssl.c

Remote

CVE-2020-28025

Heap out-of-bounds read in pdkim_finish_bodyhash()

Remote