A code audit of Exim, a widely used mail transfer agent, has revealed 21 previously unknown vulnerabilities, some of which can be chained together to achieve unauthenticated remote code execution on the Exim Server.
They have all been fixed in Exim v4.94.2, and the software maintainers advise users to update their instances as soon as possible, as all versions of Exim previous to version 4.94.2 are now obsolete.
“Several distros will provide updated packages: Just do the update,” Exim developer Heiko Schlittermann recommended.
The discovered vulnerabilities
In fall 2020, Qualys researcher did a thorough code audit of Exim and discovered 21 exploitable vulnerabilities (collectively dubbed “21Nails”), most of which affect all versions of the software.
Ten of these can be exploited remotely and some of them can allow attackers to gain root privileges on the remote system:
- CVE-2020-28017: Integer overflow in receive_add_recipient()
- CVE-2020-28020: Integer overflow in receive_msg()
- CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
- CVE-2020-28021: New-line injection into spool header file (remote)
- CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
- CVE-2020-28026: Line truncation and injection in spool_read_header()
- CVE-2020-28019: Failure to reset function pointer after BDAT error
- CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
- CVE-2020-28018: Use-after-free in tls-openssl.c
- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
Eleven can be exploited locally, most of them in either default configuration or in a very common configuration:
- CVE-2020-28007: Link attack in Exim’s log directory
- CVE-2020-28008: Assorted attacks in Exim’s spool directory
- CVE-2020-28014: Arbitrary PID file creation
- CVE-2020-28011: Heap buffer overflow in queue_run()
- CVE-2020-28010: Heap out-of-bounds write in main()
- CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
- CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
- CVE-2020-28015: New-line injection into spool header file (local)
Technical details about each are provided in this security advisory.
About Exim and its popularity as a target
Its popularity is certainly in part due to its efficiency and high configurability, but also due to the fact that it’s free, that it’s bundled with most Unix-like systems, and comes pre-installed on several Linux distributions.
“Mail transfer agents are interesting targets for attackers because they are usually accessible over the internet. Once exploited, they could modify sensitive email settings on the mail servers, allow adversaries to create new accounts on the target mail servers,” Bharat Jogi, Sr. Manager, Vulnerabilities and Signatures, Qualys, explained.