Critical zero-days in Exim revealed, only 3 have been fixed

Six zero-days in Exim, the most widely used mail transfer agent (MTA), have been revealed by Trend Micro’s Zero Day Initiative (ZDI) last Wednesday.

Due to what seems to be insufficient information and poor communication, fixes for only three of them have been included in Exim v4.96.1, a security release made available today.

Exim is a good target

The popularity of Exim is not surprising: it’s free, efficient, highly configurable, regularly updated, and often probed for vulnerabilities by security researchers.

Exim is also included by default in most Unix-like systems.

Unfortunately, Exim mail servers are also great targets for hackers, as past attacks have shown.

About the Exim zero-days

The six vulnerabilities have been reported to the ZDI in June 2022 by a security researcher who chose to remain anonymous.

Four of the vulnerabilities can lead to remote code execution, two to disclosure of information. Prior authentication is not required to exploit them.

The most critical of the flaws is CVE-2023-42115, an out-of-bounds write issue in the SMTP service that’s is due to a lack of proper validation of user-supplied data.

CVE-2023-42115, along with CVE-2023-42116 (a SMTP challenge stack-based buffer overflow bug) and CVE-2023-42114 (a NTLM challenge out-of-bounds read) have been fixed in Exim v4.96.1 and the latest v4.97 release candidates.

Exim project team member Heiko Schlittermann has also provided details and mitigation steps for all six flaws, and confirmed that “none of these issues is related to transport security (TLS) being on or off”.

Server owners should apply this security update as soon as may be. Hopefully, other fixes will be delivered soon.

WatchTowr researchers have released their own technical analysis of CVE-2023-42115.

The vulnerability disclosure process

In the security advisories, the ZDI claims that Exim maintainers have not provided satisfactory feedback on what they were doing to fix the vulnerabilities.

Schlittermann says that, in June 2022, the ZDI had not provided them with answers they could work with. The next contact with ZDI was in May 2023 and, apparently, more info had been shared.

“Right after this contact we created project bug tracker for 3 of the 6 issues. 2 high scored of them are fixed (OOB access). A minor scored (info leak) is fixed too,” he wrote on the Open Source Security Mailing List last Friday.

“Fixes are available in a protected repository and are ready to be applied by the distribution maintainers. The remaining issues are debatable or miss information we need to fix them. We’re more than happy to provide fixes for all issues as soon as we receive detailed information.”

UPDATE (October 16, 2023, 05:10 a.m. ET):

Exim v4.96.2 has been released, and it fixes two additional issues of the six reported by the ZDI.