Critical vulnerabilities expose 300k Exim mail globally, patching is terrible
Take action: Updated action - now there's a valid update version of Exim. Start planning an urgent patch. As a mitigating action you can do is to hide the Exim behind a proxy MTA from another vendor. This effort requires architecture and configuration review, but is a full mitigation. Everything else is just hoping the servers won't be hacked.
Learn More
Hundreds of thousands of Exim mail servers are at risk due to a critical zero-day vulnerability present in all versions of the Exim mail transfer agent (MTA) software.
Exim is installed on over 56% of the approximately 602,000 official mail servers reachable on the Internet. Exim is the default MTA on Debian Linux distros and is vulnerable to exploitation. Furthermore, a Shodan search reveales that over 3.5 million Exim servers are currently exposed online, with a significant number located in the United States, Russia, and Germany.
Multiple vulnerabilities in the Exim mail transfer agent were reported by Zero Day Initiative (ZDI), with four of the six bugs enabling remote code execution and having severity ratings ranging from 7.5 to 9.8 out of 10. (link to publications, search for exim)
- CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability
- CVE-2023-42115 (CVSS score: 9.8) - Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2023-42116 (CVSS score: 8.1) - Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2023-42117 (CVSS score: 8.1) - Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability
- CVE-2023-42118 (CVSS score: 7.5) - Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
- CVE-2023-42119 (CVSS score: 3.1) - Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability
The most severe vulnerability, CVE-2023-42115, allows remote attackers to execute arbitrary code without requiring authentication. Another fixed vulnerability, CVE-2023-42116, results in stack-based overflow and allows remote code execution. The third fixed vulnerability, CVE-2023-42114, permits the disclosure of sensitive information and has a severity rating of 3.7.
The Exim team was notified of this vulnerability by ZDI in June 2022 and was reminded of it in May 2023 upon the vendor's request. However, the developers failed to provide an update on their progress toward issuing a patch. Consequently, ZDI published an advisory on September 27, detailing the zero-day and providing a timeline of their exchanges with the Exim team.
Unfortunately, Exim has patched just three of these vulnerabilities and stored the fixes in a private repository, but the status of patches for the remaining three, including two allowing remote code execution, remains unknown, probably unpatched.
Update - as of 2nd of October 2023, a security release, exim-4.96.1, is being published. “This is a security release,” states the Exim website. “You should upgrade as soon as possible. All versions of Exim previous to version 4.96.1 are now obsolete,”
Detailed information about the fixes and mitigations for those unable to patch immediately has not been provided. Exim has just stated that they will be providing the patches to linux distro maintainers, which means that most Exim mail server admins will be left helpless for a while.
The severity of the vulnerability is exacerbated by the fact that MTA servers like Exim are highly susceptible to attacks due to their internet accessibility, making them attractive targets for malicious actors. The urgency in addressing these vulnerabilities is further underscored by historical instances of Russian military hacking groups exploiting critical Exim vulnerabilities for network compromise.
