Exim Email Servers Flaw

The maintainers of the Exim email server software have released security updates to address a collection of 21 vulnerabilities named 21Nails, that can be exploited by attackers to take control of servers and access email traffic through them.

The issues were discovered by the security firm Qualys and reported to Exim. The flaws include 11 local vulnerabilities that require local access to the server and 10 other weaknesses that could be exploited remotely.

Exim is a free mail transfer agent (MTA) used on Unix-like operating systems, 59% of all MTA solutions used worldwide are Exim as of May 2021.

At the time of writing, querying the Shodan search engine we can find that more than 3.86 million Exim servers are exposed online.

Exim maintainers have released patches to remediate 21 security vulnerabilities in its software that could enable unauthenticated attackers to achieve complete remote code execution and gain root privileges. Experts recommend updating installs to Exim version 4.94.

List of Vulnerabilities Discovered

Local vulnerabilities

  • CVE-2020-28007: Link attack in Exim’s log directory
  • CVE-2020-28008: Assorted attacks in Exim’s spool directory
  • CVE-2020-28014: Arbitrary file creation and clobbering
  • CVE-2021-27216: Arbitrary file deletion
  • CVE-2020-28011: Heap buffer overflow in queue_run()
  • CVE-2020-28010: Heap out-of-bounds write in main()
  • CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
  • CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
  • CVE-2020-28015: New-line injection into spool header file (local)
  • CVE-2020-28012: Missing close-on-exec flag for privileged pipe
  • CVE-2020-28009: Integer overflow in get_stdinput()

Remote vulnerabilities

  • CVE-2020-28017: Integer overflow in receive_add_recipient()
  • CVE-2020-28020: Integer overflow in receive_msg()
  • CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
  • CVE-2020-28021: New-line injection into spool header file (remote)
  • CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
  • CVE-2020-28026: Line truncation and injection in spool_read_header()
  • CVE-2020-28019: Failure to reset function pointer after BDAT error
  •  CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
  • CVE-2020-28018: Use-after-free in tls-openssl.c
  • CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

“We have not tried to exploit all of these vulnerabilities, but we successfully exploited 4 LPEs (Local Privilege Escalations) and 3 RCEs (Remote Code Executions)”, experts mentioned.

  • CVE-2020-28007 (LPE, from user “exim” to root);
  • CVE-2020-28008 (LPE, from user “exim” to root);
  • CVE-2020-28015 (LPE, from any user to root);
  • CVE-2020-28012 (LPE, from any user to root, if allow_filter is true);
  • CVE-2020-28020 (unauthenticated RCE as “exim”, in Exim < 4.92);
  • CVE-2020-28018 (unauthenticated RCE as “exim”, in 4.90 <= Exim < 4.94, if TLS encryption is provided by OpenSSL);
  • CVE-2020-28021 (authenticated RCE, as root);
  • CVE-2020-28017 is also exploitable (unauthenticated RCE as “exim”), but requires more than 25GB of memory in the default configuration.

In EXIM software, during May 2020 the U.S. National Security Agency (NSA) warned that Russia-linked APT group tracked Sandworm Team were exploiting a critical vulnerability (CVE-2019-10149) in the Exim mail transfer agent (MTA) software since at least August 2019.

In September 2019, Exim maintainers released an urgent security update, Exim version 4.92.3, to address a critical security vulnerability that could allow a remote attacker to crash or potentially execute malicious code on targeted email servers.

The flaw is a heap-based buffer overflow, tracked as CVE-2019-16928, that resides in the string_vformat (string.c). An attacker could exploit the flaw using an unexpected long EHLO string to crash the Exim process that is receiving the message.

In early September, the Exim development team addressed one more vulnerability in the popular mail server, tracked as CVE-2019-15846. The vulnerability could be exploited by local and remote attackers to execute arbitrary code with root privileges.

Therefore “Mail Transfer Agents are interesting targets for attackers because they are usually accessible over the internet,” Bharat Jogi, senior manager at Qualys said.

“Once exploited, they could modify sensitive email settings on the mail servers, allow adversaries to create new accounts on the target mail servers.”

Also Read

Badloc- Microsoft Warns of Multiple Vulnerabilities that Could Affect a Wide Range of IoT and OT Devices

F5 BIG-IP APM AD (Active Directory) Authentication Flaw Bypassed using a Spoofed AS-REP

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.