Security researchers at Qualys have uncovered multiple security vulnerabilities in Exim, one of the most popular mail transfer agents used for public-facing email servers.
During a full security audit of Exim, the researchers found 21 vulnerabilities. Eleven of the vulnerabilities were only exploitable locally, but the remaining 10 might lend themselves to remote exploitation.
Worse yet, several of these remotely exploitable issues could be chained together to create a full remote code execution attack, Qualys warns.
Digital paper trail
The issues go back to at least the beginning of Exim’s Git history, in 2004, so all supported versions of the software need updating.
The vulnerabilities are tracked as CVE-2020-28007 through CVE-2020-28026, plus CVE-2021-27216.
Qualys has demonstrated that three of the flaws pose an unauthenticated RCE risk – a severe class of vulnerability that requires no action from the victim and can result in full system takeover.
The trio of critical security flaws include CVE-2020-28020, an integer overflow in receive_msg(); CVE-2020-28018, a use-after-free flaw in tls-openssl.c; and CVE-2020-28021, a new-line injection into spool header file.
Details of the 21 flaws are covered in a technical blog post by Qualys. A landing page with a walkthrough video has also been released.
Server-side mayhem
Exim mail servers are popular in their category and handle a large volume of internet traffic, making them an attractive target for attackers.
Bharat Jogi, senior manager, vulnerability and threat research at Qualys, commented: “The 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system – allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts, and change sensitive settings on the mail servers.text
“It’s imperative that users apply patches immediately,” Jogi concluded.
The Daily Swig posed a number of follow-up questions to Qualys about its research. We’ll update this story as and when more information comes to hand.
A recent survey by E-Soft found that three in five (60.7 %) of publicly accessible email servers ran Exim, way ahead of its closest rival Postfix. The Exim platform is particularly popular as a mail transfer agent package with universities, for example.
Source: https://portswigger.net/daily-swig/multiple-critical-vulnerabilities-in-exim-email-server-software-pose-rce-risk
