21 nails in Exim mail server: Vulnerabilities enable 'full remote unauthenticated code execution', millions of boxes at risk

Nearly 4 million to be exact, say researchers


Researchers at security biz Qualys discovered 21 vulnerabilities in Exim, a popular mail server, which can be chained to obtain "a full remote unauthenticated code execution and gain root privileges on the Exim Server."

Exim is a mail transfer agent (MTA), responsible for receiving and forwarding email messages. It runs primarily on Unix or Linux and is the default MTA on Debian - though Ubuntu and Red Hat Enterprise Linux use Postfix by default.

Some hosting companies use Exim to provide email services to their customers, and it was also popular in universities and other educational institutions (it was initially developed at the University of Cambridge in 1995) though many of these have transitioned to Office 365 or Google email, not least Cambridge itself.

According to one recent survey nearly 60 per cent of mail servers visible on the internet use Exim, followed by Postfix at 34 per cent. Qualys said a Shodan search revealed nearly 4 million Exim servers exposed to the internet.

Qualys demonstrates a proof of concept exploit against the Exim mail server, achieving root access to the remote server

Qualys demonstrates a proof of concept exploit against the Exim mail server, achieving root access to the remote server

The Qualys researchers have now reported on 21 critical vulnerabilities discovered via a code audit, 10 of which can be exploited remotely.

The local vulnerabilities are also an issue, as they can enable local users to escalate privileges to root. Most of the vulnerabilities are longstanding, the researchers say, with some going back to the beginning of its Git history (the Exim source code repository).

A proof of concept video shows an exploit (developed by Qualys but not publicly available) in action. "To run the exploit, all we need to do is point it to the target Exim server IP endpoint," explained researcher Bharat Jogi. The exploit starts with a use after free bug (where memory is referenced after it has been freed), then discovers where Exim's configuration resides in memory, and modifies it to "execute an arbitrary command."

This opens a Netcat shell, at which point the attacker has a local terminal as the Exim user. A further vulnerability allows the attacker to take ownership of any file on the system, because part of the Exim code runs as root. Ownership of the system password file then gives the user full root privileges.

Timing was tight

Qualys said it informed the Exim security team of some vulnerabilities on 20 October 2020, followed by a further list on 29 October. Exim maintainers gave Qualys access to its Git repository both to review and to assist with writing patches. The timing was tight, though: patches were not completed until 24th February, and the Exim team did not give access to packagers and maintainers, who are responsible for providing Exim updates to users, until 27th April. The vulnerabilities were disclosed yesterday, 4 May, a date which Qualys said was agreed with the Exim project.

This timeline inevitably means that many servers were not patched at the time of the announcement. Debian released a security advisory yesterday for its current stable distribution, Buster. At the time of writing, the packages for Debian 9 (Stretch), which is end of life but in long term support, had not yet been updated. All Exim versions before Exim 4.94.2 are vulnerable.

The Qualys team chose the name 21 Nails as a pun on "21 vulnerabilities in a 'Mail' transfer agent." Nothing to do with coffins, though the new vulnerabilities will reinforce claims that running Postfix, which was designed with security in mind (it was also called Secure Mailer) is a better idea from a security perspective.

Email servers are an obvious attack point because they are of necessity internet-accessible, as evidenced by another recent security incident, called Haffnium, that affected Microsoft Exchange. The number of Exim instances out there is far greater than the number of Exchange servers, although the corporate nature of Exchange may make it a more attractive target. ®

Similar topics


Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022