Email security, Patch/Configuration Management, Incident Response, Security Staff Acquisition & Development

Six zero-days in Exim mail transfer agent could impact more than 253,000 servers

Computer keyboard mail

Six zero-day vulnerabilities recently discovered in the Exim mail transfer agent have potentially left more than 253,000 mail servers vulnerable, with four of the six leaving organizations exposed to a remote code execution (RCE) attack.

Click for more special coverage

In an advisory Sept. 29, the Center for Internet Security (CIS) said an unauthenticated attacker could install programs, view, change or delete data, or create new accounts with full user rights.

The zero-day flaws were widely reported at the end of last week. According to reports, Trend Micro's Zero Data Initiative (ZDI) first told Exim about the vulnerability in June 2022 and re-sent information on the flaw at the vendor's request in May 2023, but developers failed to offer an update on their patch progress.

That’s when ZDI posted its advisory Sept. 27, but it wasn’t picked up until the news was posted on the Open Source Security mailing list two days later on Sept. 29. As of Monday, patches have been issued for three of the six bugs.

CIS described the most serious zero-day — CVE-2023-42115 — as a specific flaw that exists within the SMPT service that listens on TCP Port 25 by default. This issue results from a lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. Attackers can leverage the flaw to execute code in the context of a service account, explained the CIS.

The systems affected include Exim 4.96 or prior, and the CIS said the risk was high for both large and medium government agencies and enterprise businesses.

Exim has been on the Known Exploited Vulnerabilities (KEV) catalog from Cybersecurity and Infrastructure Security Agency (CISA) before, so clearly malicious hackers are returning to Exim because of previous responses, explained John Gallagher, vice president of Viakoo Labs. Gallagher said security pros should consider these vulnerabilities as highly exploitable.

“They are public, Exim has been slow to release patches, devices can be found through a Shodan search, and many organizations will have to implement the patch,” said Gallagher. “With many open-source projects, the users are not always IT, it’s likely that the patching of Exim products will be slow because many non-IT organizations will be managing these products.” 

John Bambenek, principal threat hunter at Netenrich, added that mail servers are inherently public facing, which means these vulnerabilities are extremely concerning, especially the RCE ones.

“Organizations can’t shut down their email servers, so they should prioritize patching immediately as widespread exploitation will probably begin in a day or two,” warned Bambenek.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.