Researchers Tuesday released a study that found 21 unique vulnerabilities in the Exim mail server, some of which can be chained together to obtain full remote unauthenticated code execution and gain root privileges.
In a blog post, the Qualys Research Team said that these vulnerabilities affect numerous organizations because an estimated 60% of internet servers run on Exim. A Shodan search executed by the research found that nearly 4 million Exim servers are exposed to the internet.
Security pros should also take note that Exim servers hosted in the cloud can be exploited, said Parag Bajaria, vice president of cloud and container security solutions at Qualys.
“There are many exploits that an attacker can run in the cloud once they have gained root privileges on the VM hosting Exim server,” Bajaria said. “Depending on where the Exim server is located there’s a further possibility of lateral movement. And if the virtual machine that hosts an Exim server has IAM permissions attached to it, then those permissions can be further exploited for data exfiltration and IAM privilege escalation.”
According to the Qualys researchers, attackers can exploit 10 of the vulnerabilities remotely, some of them leading to provide root privileges on the remote system. And for the other 11, attackers can exploit them locally with most of them exploited in either default configuration or in a very common configuration.
MTAs have become interesting targets for attackers, say the researchers, because they are usually accessible over the internet. “Once exploited, they could modify sensitive email settings on the mail servers, and allow adversaries to create new accounts on the target mail servers,” said the researchers. “Last year, the vulnerability in the Exim Mail Transfer Agent was a target of Russian cyber actors formally known as the Sandworm Team.”
"The Exim vulnerability once again illustrates the point that organizations must adopt a multi-layered defense strategy,” said Vishal Jain, co-founder and chief technology officer at Valtix.
“Cloud infrastructure providers don’t guard against remote execution of the customer’s applications,” Jain said. “Cloud and security operations teams often bear this responsibility. It’s imperative that enterprises protect applications in the public cloud against inbound threats through best-practice network security across ingress, egress, east-west, and DNS traffic. Network security offers a strong defense for remote execution vulnerabilities, like what you find in the case of Exim.”