Governance & Risk Management , IT Risk Management , Patch Management

Exim Patches 21 Flaws in Message Transfer Agent

Qualys Says Vulnerabilities Open the Door to Attacks
Exim Patches 21 Flaws in Message Transfer Agent

Exim, one of the most-used message transfer agents, has issued patches for 21 flaws that could put thousands of users at risk of attacks, researchers at security firm Qualys say.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The vulnerabilities, collectively dubbed "21nails," include 11 local and 10 remote code vulnerabilities and affect all versions of Exim servers from 2004 onward, the Qualys report notes.

Exim, which was informed by Qualys about the vulnerabilities in October 2020, released patches for the flaws Tuesday. "The current Exim versions - and likely older versions too - suffer from several exploitable vulnerabilities," Exim notes in an update to users. "Due to several internal reasons, it took more time than usual for the Exim development team to work on these reported issues in a timely manner."

Exploiting the Vulnerabilities

Qualys says its researchers exploited some of the flaws to complete four local privilege escalations and three remote code executions. The vulnerabilities it exploited are:

  • CVE-2020-28012, a flaw which, if exploited, can permit a link attack in Exim’s log directory.
  • CVE-2020-28018, an unauthenticated remote code vulnerability that occurs when TLS encryption is provided by OpenSSL;
  • CVE-2020-28017, a remote code vulnerability that can be exploited if the victim’s device has more than 25GB of memory in the default configuration.

Targeting Exim

Nation-state hackers and others have previously targeted vulnerable Exim servers for cyberespionage and other campaigns.

In May 2020, the U.S. National Security Agency warned that a Russian-backed hacking group called Sandworm had been targeting Exim since 2019. The hackers attempted to exploit an email receipt vulnerability in Exim versions 4.87 to 4.91, tracked as CVE-2019-10149, which could allow for remote code execution within the victim's web server, according to an NSA alert. The Sandworm hackers could exploit the vulnerability to install programs, modify data and create new accounts, NSA said (see: NSA: Russian Hackers Targeting Vulnerable Email Servers).

In June 2020, security firm RiskIQ found more than 900,000 Exim web servers running older versions of the software that were vulnerable to the CVE-2019-10149 bug (see: Thousands of Exim Servers Vulnerable to Critical Flaw: Report).

In 2019, security researchers warned that millions of Exim users were susceptible to two critical vulnerabilities in Exim version 4.92.1 and earlier versions (see: Email Servers: Exim Flaw Leaves Millions at Risk of Hacking).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.