Exim Patches 21 Flaws in Message Transfer AgentQualys Says Vulnerabilities Open the Door to Attacks
Exim, one of the most-used message transfer agents, has issued patches for 21 flaws that could put thousands of users at risk of attacks, researchers at security firm Qualys say.
The vulnerabilities, collectively dubbed "21nails," include 11 local and 10 remote code vulnerabilities and affect all versions of Exim servers from 2004 onward, the Qualys report notes.
Exim, which was informed by Qualys about the vulnerabilities in October 2020, released patches for the flaws Tuesday. "The current Exim versions - and likely older versions too - suffer from several exploitable vulnerabilities," Exim notes in an update to users. "Due to several internal reasons, it took more time than usual for the Exim development team to work on these reported issues in a timely manner."
Exploiting the Vulnerabilities
Qualys says its researchers exploited some of the flaws to complete four local privilege escalations and three remote code executions. The vulnerabilities it exploited are:
- CVE-2020-28012, a flaw which, if exploited, can permit a link attack in Exim’s log directory.
- CVE-2020-28018, an unauthenticated remote code vulnerability that occurs when TLS encryption is provided by OpenSSL;
- CVE-2020-28017, a remote code vulnerability that can be exploited if the victim’s device has more than 25GB of memory in the default configuration.
Nation-state hackers and others have previously targeted vulnerable Exim servers for cyberespionage and other campaigns.
In May 2020, the U.S. National Security Agency warned that a Russian-backed hacking group called Sandworm had been targeting Exim since 2019. The hackers attempted to exploit an email receipt vulnerability in Exim versions 4.87 to 4.91, tracked as CVE-2019-10149, which could allow for remote code execution within the victim's web server, according to an NSA alert. The Sandworm hackers could exploit the vulnerability to install programs, modify data and create new accounts, NSA said (see: NSA: Russian Hackers Targeting Vulnerable Email Servers).
In June 2020, security firm RiskIQ found more than 900,000 Exim web servers running older versions of the software that were vulnerable to the CVE-2019-10149 bug (see: Thousands of Exim Servers Vulnerable to Critical Flaw: Report).
In 2019, security researchers warned that millions of Exim users were susceptible to two critical vulnerabilities in Exim version 4.92.1 and earlier versions (see: Email Servers: Exim Flaw Leaves Millions at Risk of Hacking).