A severe zero-day vulnerability has been discovered in all versions of the Exim mail transfer agent (MTA) software.
A severe zero-day vulnerability has been discovered in all versions of the Exim mail transfer agent (MTA) software. This vulnerability permits unauthenticated attackers to achieve remote code execution (RCE) on servers that are accessible over the Internet.
This vulnerability was discovered by an anonymous security researcher and reported via Trend Micro's Zero Day Initiative (ZDI). The security flaw, CVE-2023-42115, is an Out-of-bounds Write weakness within the SMTP service.
If exploited successfully, the flaw can lead to software crashes or data corruption, but attackers can also use it to execute code or commands on vulnerable servers. As explained in a ZDI security advisory published on Wednesday, "The specific flaw exists within the SMTP service, which listens on TCP port 25 by default.
The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
MTA servers like Exim are particularly vulnerable targets, mainly because they are often accessible over the internet, serving as easy entry points for attackers into a target's network.
The National Security Agency (NSA) stated in May 2020 that the infamous Russian military hacking group, Sandworm, has been exploiting the critical CVE-2019-10149 Exim flaw since at least August 2019.
Exim is also the default MTA on Debian Linux distribution and the world's most popular MTA software, according to a mail server survey from early September 2023. The survey found that Exim is installed on over 56% of the 602,000 mail servers accessible online, equating to just over 342,000 Exim servers.
A Shodan search reveals that over 3.5 million Exim servers are currently exposed online, most in the United States, followed by Russia and Germany.
While a patch is not yet available to secure vulnerable Exim servers against potential attacks, ZDI advised admins to restrict remote access from the internet as a preventative measure against possible exploitation attempts.
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application, ZDI warned.
ZDI also disclosed five other Exim zero-days with lower severity ratings, tagged as high and medium severity:
- CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability
- CVE-2023-42116 (CVSS score: 8.1) - Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2023-42117 (CVSS score: 8.1) - Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability
- CVE-2023-42118 (CVSS score: 7.5) - Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
- CVE-2023-42119 (CVSS score: 3.1) - Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability
Exim developer Heiko Schlittermann revealed on the Open Source Security (oss-sec) mailing list after this article was published that "fixes are available in a protected repository" for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116, and are "ready to be applied by the distribution maintainers."
The remaining issues are debatable or need to be more clear. We need to fix them. We're happy to provide fixes for all issues as soon as we receive detailed information, Schlittermann added.
A ZDI representative replied to the oss-sec thread saying that the advisories published this week would be updated and the zero-day tag removed as soon as Exim publishes patches.
The ZDI reached out multiple times to the developers regarding multiple bug reports with little progress. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, 'You do what you do,' the ZDI representative said.
"If these bugs have been appropriately addressed, we will update our advisories with a link to the security advisory, code check-in, or other public documentation closing the issue."
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?