You can now find Cyber Kendra on Google News!

Six 0day Vulnerabilities Discovered in Exim Mail Server - Update Now!

Six 0day vulnerabilities were reported to Exim mail transfer agent putting 250k email servers under threats

EXIM 0day Vulnerability
There was already news about the new critical vulnerabilities reported to the Exim Mail transfer agent, which if exploited successfully, allows remote execution of malicious code with little or no user interaction.

Zero Day Initiative first reported the vulnerability on Wednesday but it went unnoticed as everyone was busy on the WebP 0day flaw.

Also at that time, there were not many details about the vulnerabilities. We only know that there were six vulnerabilities in total and four of them were remote code execution flaws. 

One of the bugs which is identified as CVE-2023-42115 is the most dangerous one with a CVSS score of 9.8 out of 10. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim, and Authentication is not required to exploit this vulnerability.

According to the description on the Zero Day Initiative page states-

The specific flaw exists within the SMTP service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.

Exim Six Zero-day Vulnerabilities

Today on 2nd October 2023, Exim came up with the details regarding the above-mentioned vulnerabilities. According to the Exim security advisory, there were six zero-day vulnerabilities were reported to Exim. 

Exim confirms that None of these issues is related to transport security (TLS) being on or off. Here are the details of all the Six zero-day vulnerabilities - 

CVE ID Description CVSS Score Mitigation Fixed Status
CVE-2023-42114 Information disclosure while reading ouf-of-bounds from a data structure while handling NTLM challenge requests. 3.7 Do not use SPA (NTLM) authentication Fixed in Exim 4.96.1 and 4.97
CVE-2023-42115 Remote code execution from a write past the end of a buffer while handling AUTH commands. 9.8 Do not offer EXTERNAL authentication. Fixed in Exim 4.96.1 and 4.97
CVE-2023-42116 Remote code execution from a stack-based buffer overflow while handling NTLM challenge requests. 8.1 Do not use SPA (NTLM) authentication Fixed in Exim 4.96.1 and 4.97
CVE-2023-42117 Remote code execution from an improper neutralization of special elements, producing a memory corruption condition. 8.1 Do not use Exim behind an untrusted proxy-protocol proxy Not Fixed
CVE-2023-42118 Remote code execution affecting the Exim library libspf2, while processing SPF macros, which does not properly validate an integer. 7.5 Do not use the `spf` condition in your ACL It is debatable if this should be filed against libspf2.
CVE-2023-42119 Information disclosure of dnsdb while reading out-of-bounds from the buffer. 3.1 Use a trustworthy DNS resolver which is able to validate the data according to the DNS record types. Under Consideration

The Exim team noted the following points regarding the vulnerabilities -

  1. 3 of them are related to SPA/NTLM, and EXTERNAL auth. If you do not use SPA/NTLM, or EXTERNAL authentication, you're not affected. These issues are fixed.
  2. One issue is related to data received from a proxy-protocol proxy. If you do not use a proxy in front of Exim, you're not affected. If your proxy is trustworthy, you're not affected. We're working on a fix.
  3. One is related to libspf2. If you do not use the `spf` lookup type or the `spf` ACL condition, you are not affected. 
  4. The last one is related to DNS lookups. If you use a trustworthy resolver (which does validation of the data it receives), you're not affected. We're working on a fix.

Exposed Exim Server

Shodan's query shows that there are just over 3.5 million Exim servers exposed online, with most of them in the United States, followed by Russia and Germany.

Shodan Exim Server

According to Netlas, an internet intelligence app that provides accurate technical information about IP addresses, domain names, websites, web services, IoT devices, and others there are 147K servers probably vulnerable to CVE-2023-42115, CVE-2023-42116, and CVE-2023-42117

Multiple vulnerable Exim server

Mitigation and Fixes

Exim said it has made patches for the vulnerabilities available in a private repository. Currently, they are in contact with the major distros and aim to release those fixes with the release of Exim-4.96.1 and 4.97 security releases which are available as soon as possible. (Aiming Monday, Oct 2nd.) i.e. today. 

This is not the first time security flaws have been uncovered in the widely used mail transfer agent. In May 2021, Qualys disclosed a set of 21 vulnerabilities collectively tracked as 21Nails that enable unauthenticated attackers to achieve complete remote code execution and gain root privileges.

Post a Comment