The maintainers of the widely-used Exim email server are urging admins to update to Exim version 4.94.2 due to 21 newly disclosed security flaws.
“All versions of Exim previous to version 4.94.2 are now obsolete. The last 3.x release was 3.36. It is obsolete and should not be used,” the University of Cambridge-backed project said in an update.
“This is a security release,” the project adds, referring to fixes for 21 flaws that can be exploited by anyone over the internet.
SEE: Network security policy (TechRepublic Premium)
The new Exim release addresses security flaws reported by researchers at security firm, Qualys.
The bugs are a potentially major threat to internet security given that nearly 60% of internet servers run on Exim mail transfer agent (MTA) software and is by far the most widely used email server. As Qualys points out, IoT search engine Shodan returns 3.8 million results for Exim servers exposed on the internet, of which two million are located in the US.
Exim is so widely deployed in part because it often ships as the default email server with popular Linux distributions like Debian.
“Exim Mail Servers are used so widely and handle such a large volume of the internet’s traffic that they are often a key target for hackers,” said Bharat Jogi, a senior manager of the vulnerability and threat research unit at Qualys.
“The 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system – allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts, and change sensitive settings on the mail servers.”
Jogi urged admins — many of whom run Exim servers at ISPs, government agencies, and universities — to apply the patches “immediately” given the breadth of the attack surface for this vulnerability.
Such flaws have been rapidly exploited in the past: a previous remote code execution flaw in Exim that was patched in mid-2019 was also discovered by researchers at Qualys.
The NSA eventually revealed that attackers had been exploiting the flaw, tracked as CVE-2019-10149, within two months of its public disclosure.
The NSA warned in June 2020 that a hacking group known as Sandworm, within Russia’s intelligence service, GRU, had been exploiting the Exim flaw since at least August 2019. That bug’s impact is the same as the 21 newly disclosed vulnerabilities.
The NSA said the attackers exploited the bug on victims’ public-facing MTAs by sending a specially crafted command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message. Victims would then automatically download and execute a shell script from a domain controlled by the Sandworm group.
SEE: This malware has been rewritten in the Rust programming language to make it harder to spot
MTAs are an attractive target for attackers because they’re generally exposed on the internet.
Qualys has posted a blog detailing each of the 21 bugs and says its researchers have developed exploits to obtain full root privileges.
The company reported an initial set of bugs to Exim maintainers on 20 October, 2020 and provided 26 patches to Exim.
CVE |
Description |
Type |
CVE-2020-28007 |
Link attack in Exim’s log directory |
Local |
CVE-2020-28008 |
Assorted attacks in Exim’s spool directory |
Local |
CVE-2020-28014 |
Arbitrary file creation and clobbering |
Local |
CVE-2021-27216 |
Arbitrary file deletion |
Local |
CVE-2020-28011 |
Heap buffer overflow in queue_run() |
Local |
CVE-2020-28010 |
Heap out-of-bounds write in main() |
Local |
CVE-2020-28013 |
Heap buffer overflow in parse_fix_phrase() |
Local |
CVE-2020-28016 |
Heap out-of-bounds write in parse_fix_phrase() |
Local |
CVE-2020-28015 |
New-line injection into spool header file (local) |
Local |
CVE-2020-28012 |
Missing close-on-exec flag for privileged pipe |
Local |
CVE-2020-28009 |
Integer overflow in get_stdinput() |
Local |
CVE-2020-28017 |
Integer overflow in receive_add_recipient() |
Remote |
CVE-2020-28020 |
Integer overflow in receive_msg() |
Remote |
CVE-2020-28023 |
Out-of-bounds read in smtp_setup_msg() |
Remote |
CVE-2020-28021 |
New-line injection into spool header file (remote) |
Remote |
CVE-2020-28022 |
Heap out-of-bounds read and write in extract_option() |
Remote |
CVE-2020-28026 |
Line truncation and injection in spool_read_header() |
Remote |
CVE-2020-28019 |
Failure to reset function pointer after BDAT error |
Remote |
CVE-2020-28024 |
Heap buffer underflow in smtp_ungetc() |
Remote |
CVE-2020-28018 |
Use-after-free in tls-openssl.c |
Remote |
CVE-2020-28025 |
Heap out-of-bounds read in pdkim_finish_bodyhash() |
Remote |