The Exim mail server software support team has released fixes for 21 vulnerabilities that allow you to take control of a server using both local and remote attack vectors. A series of vulnerabilities called 21Nails was discovered by Qualys. With its help, attackers can take control of the server in order to intercept or interact with e-mails passing through it.
21Nails includes 11 vulnerabilities that require local access to the server to exploit, and 10 vulnerabilities that can be exploited remotely.
The problem affects all versions of Exim released in the last 17 years (since 2004). To avoid possible cyber attacks, server owners are strongly advised to update them to version 4.94.
Previous vulnerabilities in Exim, disclosed in 2019-2020, were actively exploited by hacker groups, both financially motivated and working for the government. Most often, attackers exploited a vulnerability ( CVE-2019-10149 ) known as Return of the WIZard.
Qualys researchers say they will not publish exploits for all 21Nails Exim vulnerabilities. However, the Exim command notification contains enough information to enable attackers to design effective exploits.
Here are the summary of all 21 Vulnerabilities
| CVE | Description | Type |
|---|---|---|
| CVE-2021-27216 | Arbitrary file deletion | Local |
| CVE-2020-28007 | Link attack in Exim’s log directory | Local |
| CVE-2020-28008 | Assorted attacks in Exim’s spool directory | Local |
| CVE-2020-28009 | Integer overflow in get_stdinput() | Local |
| CVE-2020-28010 | Heap out-of-bounds write in main() | Local |
| CVE-2020-28011 | Heap buffer overflow in queue_run() | Local |
| CVE-2020-28012 | Missing close-on-exec flag for privileged pipe | Local |
| CVE-2020-28013 | Heap buffer overflow in parse_fix_phrase() | Local |
| CVE-2020-28014 | Arbitrary file creation and clobbering | Local |
| CVE-2020-28015 | New-line injection into spool header file (local) | Remote |
| CVE-2020-28016 | DHeap out-of-bounds write in parse_fix_phrase() | Remote |
| CVE-2020-28017 | Integer overflow in receive_add_recipient() | Remote |
| CVE-2020-28018 | Use-after-free in tls-openssl.c | Remote |
| CVE-2020-28019 | Failure to reset function pointer after BDAT error | Remote |
| CVE-2020-28020 | Integer overflow in receive_msg() | Remote |
| CVE-2020-28021 | New-line injection into spool header file (remote) | Remote |
| CVE-2020-28022 | Heap out-of-bounds read and write in extract_option() | Remote |
| CVE-2020-28023 | Out-of-bounds read in smtp_setup_msg() | Remote |
| CVE-2020-28024 | Heap buffer underflow in smtp_ungetc() | Remote |
| CVE-2020-28025 | Heap out-of-bounds read in pdkim_finish_bodyhash() | Remote |
| CVE-2020-28026 | Line truncation and injection in spool_read_header() | Remote |
Successful exploitation of these vulnerabilities would allow a remote attacker to gain full root privileges on the target server and execute commands to install programs, modify data, and create new accounts. Currently Shodan shows over 3.8 million Exim servers accessible over the Internet.