Security researchers found 21 flaws in this widely used email server, so update immediately

The maintainers of the widely-used Exim email server are urging admins to update to Exim model 4.94.2 because of 21 newly disclosed safety flaws. 

“All variations of Exim earlier to model 4.94.2 at the moment are out of date. The final 3.x launch was 3.36. It is out of date and shouldn’t be used,” the University of Cambridge-backed mission said in an update. 

“This is a safety launch,” the mission provides, referring to fixes for 21 flaws that may be exploited by anybody over the web. 

SEE: Network security policy (TechRepublic Premium)

The new Exim launch addresses safety flaws reported by researchers at security firm, Qualys.   

The bugs are a doubtlessly main risk to web safety given that almost 60% of internet servers run on Exim mail transfer agent (MTA) software and is by far essentially the most widely used email server. As Qualys factors out, IoT search engine Shodan returns 3.8 million outcomes for Exim servers uncovered on the web, of which two million are positioned in the US. 

Exim is so widely deployed in half as a result of it usually ships because the default email server with standard Linux distributions like Debian.  

“Exim Mail Servers are used so widely and deal with such a big quantity of the web’s site visitors that they’re usually a key goal for hackers,” mentioned Bharat Jogi, a senior supervisor of the vulnerability and risk analysis unit at Qualys.  

“The 21 vulnerabilities we found are crucial as attackers can remotely exploit them to achieve full root privileges on an Exim system – permitting compromises comparable to a distant attacker gaining full root privileges on the goal server and executing instructions to put in applications, modify information, create new accounts, and alter delicate settings on the mail servers.”

Jogi urged admins — a lot of whom run Exim servers at ISPs, authorities companies, and universities — to use the patches “immediately” given the breadth of the assault floor for this vulnerability.

Such flaws have been quickly exploited in the previous: a earlier distant code execution flaw in Exim that was patched in mid-2019 was additionally found by researchers at Qualys. 

The NSA finally revealed that attackers had been exploiting the flaw, tracked as CVE-2019-10149, inside two months of its public disclosure.  

The NSA warned in June 2020 {that a} hacking group referred to as Sandworm, inside Russia’s intelligence service, GRU, had been exploiting the Exim flaw since a minimum of August 2019. That bug’s impression is similar because the 21 newly disclosed vulnerabilities. 

The NSA mentioned the attackers exploited the bug on victims’ public-facing MTAs by sending a specifically crafted command in the “MAIL FROM” discipline of an SMTP (Simple Mail Transfer Protocol) message. Victims would then robotically obtain and execute a shell script from a website managed by the Sandworm group.

SEE: This malware has been rewritten in the Rust programming language to make it harder to spot

MTAs are a horny goal for attackers as a result of they’re typically uncovered on the web. 

Qualys has posted a blog detailing each of the 21 bugs and says its researchers have developed exploits to acquire full root privileges. 

The firm reported an preliminary set of bugs to Exim maintainers on 20 October, 2020 and supplied 26 patches to Exim.  

(*21*)

Arbitrary file deletion

(*21*)

Integer overflow in receive_add_recipient()

(*21*)

Failure to reset operate pointer after BDAT error