2 min read

Millions of Exim Mail Servers Exposed to Zero-Day RCE Attacks

Millions of Exim Mail Servers Exposed to Zero-Day RCE Attacks

A critical security issue has been found in all versions of Exim mail transfer agent (MTA) software. This vulnerability could allow unauthorized attackers to remotely execute code on servers exposed to the Internet.

This vulnerability, known as CVE-2023-42115, was discovered by an anonymous security researcher and disclosed through Trend Micro’s Zero Day Initiative (ZDI). The problem stems from an Out-of-bounds Write weakness in the SMTP service.

When attackers successfully exploit this issue, it can cause software crashes or data corruption. It also opens the door for attackers to execute their own code or commands on vulnerable servers. The vulnerable component is the SMTP service, which usually listens on TCP port 25 by default. The problem arises from the lack of proper validation of user-supplied data, allowing attackers to write past the end of a buffer and execute code within the context of the service account.

ZDI reported this vulnerability to the Exim team in June 2022 and provided further information at the vendor’s request in May 2023. However, the Exim developers did not provide an update on their progress in addressing the issue. As a result, ZDI published an advisory on September 27, including details about the CVE-2023-42115 zero-day and a timeline of their communications with the Exim team.

Mail transfer agent (MTA) servers like Exim are particularly vulnerable because they are often accessible over the Internet, making them easy entry points for attackers into a network. The National Security Agency (NSA) reported in May 2020 that the Russian military hacking group Sandworm had been exploiting a critical Exim flaw since at least August 2019.

Exim is also the default MTA on Debian Linux distributions and is the world’s most popular MTA software according to a mail server survey from early September 2023. The survey found that Exim is installed on more than 56% of the 602,000 mail servers reachable on the Internet, which represents over 342,000 Exim servers. A Shodan search revealed that just over 3.5 million Exim servers are currently exposed online, with the majority in the United States, followed by Russia and Germany.

While a patch to secure vulnerable Exim servers is not yet available, ZDI advised administrators to restrict remote access from the Internet to prevent potential exploitation attempts. The primary mitigation strategy is to limit interactions with the affected application due to the nature of the vulnerability.

Private patches and other bugs waiting for a fix:

ZDI also disclosed five other Exim zero-days with lower severity ratings this week, tagged as high and medium severity:

Exim developer Heiko Schlittermann revealed on the Open Source Security (oss-sec) mailing list after this article was published that “fixes are available in a protected repository” for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116, and are “ready to be applied by the distribution maintainers.”

“The remaining issues are debatable or miss information we need to fix them. We’re more than happy to provide fixes for all issues as soon as we receive detailed information,” Schlittermann added.

A ZDI representative replied to the oss-sec thread saying that the advisories published this week would be updated and the zero-day tag removed as soon as Exim publishes patches. 

“The ZDI reached out multiple times to the developers regarding multiple bug reports with little progress to show for it. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, “you do what you do,” the ZDI representative said.

“If these bugs have been appropriately addressed, we will update our advisories with a link to the security advisory, code check-in, or other public documentation closing the issue.” 

Update: Added info on the other Exim five flaws disclosed by ZDI and Exim’s private patches.

Want to learn more?

Related posts you may be interested in reading:

SEC Slaps Morgan Stanley with $35M Fine for Selling Unwiped and Unencrypted Hard Drives on Auction Sites

SEC Slaps Morgan Stanley with $35M Fine for Selling Unwiped and Unencrypted Hard Drives on Auction Sites

Morgan Stanley has agreed to pay a $35 million penalty to the Securities and Exchange Commission (SEC) for data security breaches. These breaches...

Read More
Unmasking VEILDrive: How Threat Actors Are Exploiting Microsoft SaaS to Spread Malware

Unmasking VEILDrive: How Threat Actors Are Exploiting Microsoft SaaS to Spread Malware

Unmasking VEILDrive: How Threat Actors Are Exploiting Microsoft SaaS to Spread Malware**A sophisticated cyber threat campaign known as "VEILDrive"...

Read More