Exim is a message transfer agent (MTA) originally developed at the University of Cambridge for use on Unix systems connected to the internet, and is freely available under the terms of the GNU General Public Licence.
Even though the name may be new to you, a Shodan search revealed 3.5 million servers online. According to recent data, they account for more than half of all email servers. Most of these servers are in the US, Russia, Germany, and the Netherlands. The large numbers are, at least partly, due to the fact that on Debian-based Linux systems, Exim is the default MTA software.
For over a year, many of these servers have been vulnerable to six zero-day vulnerabilities. An anonymous researchers filed those vulnerabilities through the Zero Day Initiative (ZDI) that acts as an intermediary to reward researchers and helps them to responsibly disclose vulnerabilities.
The word “finally” in the title stems from the fact that these vulnerabilities were reported to Exim on June 14, 2022. After 10 months of silence, the ZDI made an enquiry to see if anything had been done about them and as a reply received a request to re-send the reports.
Another four months went by and ZDI sent an ultimatum announcing the intention to publish the case as a zero-day advisory on September 27, 2023.
From the description of the vulnerabilities there was no reason to think that these were minor bugs, not worthy of immediate attention. Let’s look, for example, at the vulnerability listed as “CVE-2023-42115 (CVSS score 9.8 out of 10): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.”
The specific flaw exists within the SMTP service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
The delay seems to be a lack of communication where each side is blaming the other for not being clear and proactive enough. It’s hard to say who’s at fault here, but the issue remains that the goal of responsible disclosure wasn’t achieved.
What can Exim administrators do
Even though some researchers say that the vulnerabilities are not that severe, you may want to check if your setup is vulnerable and apply fixes or mitigations where needed.
The three vulnerabilities that have been fixed (CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116) are all related to Secure Password Authentication (SPA)/New Technology LAN Manager (NTLM), and EXTERNAL authentication. EXTERNAL authentication enables authentication based on some properties which are external to the Simple Mail Transfer Protocol (SMTP) session which is usually an x509 certificate.
If you do not use SPA/NTLM, or EXTERNAL authentication, you’re not affected. If you are you should install the latest version (4.96.1 or later).
The solution for CVE-2023-42117 is to not use Exim behind an untrusted proxy-protocol proxy. The proxy protocol is a simple protocol where the client sends a message to the server asking to make a connection from a specific local IP to a specific remote IP. Once the connection is made, traffic in both directions is relayed as is via the proxy. There are many trustworthy ones to chose from that will properly validate user-supplied data. Exim is working on a fix for this one.
The solution for CVE-2023-42118 is to not use the `spf` (Sender Policy Framework) condition in your access-control list (ACL). The specific flaw exists within the parsing of SPF macros and can only be exploited by network-adjacent attackers.
CVE-2023-42219 is not likely to be fixed by Exim. They feel users should use a trustworthy Domain Name System (DNS) resolver which is able to validate the data according to the DNS record types. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Exim.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.