Several security vulnerabilities have been disclosed in the Exim Mail Transfer Agent which, if successfully exploited, could lead to information disclosure and remote code execution.
The list of flaws reported anonymously in June 2022 is as follows –
- CVE-2023-42114 (CVSS score: 3.7) – Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability
- CVE-2023-42115 (CVSS score: 9.8) – Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2023-42116 (CVSS score: 8.1) – Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2023-42117 (CVSS score: 8.1) – Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability
- CVE-2023-42118 (CVSS score: 7.5) – Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
- CVE-2023-42119 (CVSS score: 3.1) – Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability
The most serious of the vulnerabilities is CVE-2023-42115, which allows remote, unauthenticated attackers to execute arbitrary code on affected installations of Exim.
“The specific flaw exists within the SMTP service, which listens on TCP port 25 by default,” the Zero Day Initiative said in an alert published this week.
“The issue arises from the lack of proper validation of user-supplied data, which could result in buffered writes. An attacker could leverage this vulnerability to execute code in the context of a service account.”
Exim maintainers, in a message shared on the Open Source Security mailing list oss-security, said fixes for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116 are “available in a protected repository and are ready to be applied by the distribution maintainers.”
“The remaining issues are debatable or miss information we need to fix them,” adding it asked ZDI more specifics about the issues and that it “didn’t get answers we were able to work with” until May 2023. The Exim team further said. they are awaiting detailed specifics on the other three shortcomings.
However, ZDI denied the claims of “poor operations” and “no teams pinging each other for 10 months”, adding that it contacted the developers multiple times.
“After our disclosure deadline was exceeded by several months, we informed the maintainer of our intention to publicly disclose these bugs, at which time we were told, ‘Do what you do,'” It said.
“If these bugs are appropriately addressed, we will update our update with a security advisory, code check-in, or a link to other public documentation closing the issue.”
In the absence of a patch, ZDI recommends restricting interactions with the application as the only “main” mitigation strategy.
This is not the first time a security flaw in a widely used mail transfer agent has been exposed. In May 2021, Qualys disclosed a set of 21 vulnerabilities collectively tracked as 21Nails that enable unauthenticated attackers to achieve full remote code execution and gain root privileges.
Earlier in May 2020, the US government reported that hackers affiliated with Sandworm, a Russian state-sponsored group, were exploiting a critical Exim vulnerability (CVE-2019-10149, CVSS score: 9.8) to infiltrate sensitive networks.
The development also comes hot on the heels of a new study by researchers from the University of California San Diego that discovered a novel technique called forwarding-based spoofing which takes advantage of weaknesses in email forwarding to send messages impersonating legitimate entities, thereby compromising on integrity.
The research found, “The basic protocol used to check the authenticity of emails assumes that each organization operates its own mailing infrastructure, with specific IP addresses not used by other domains.”
“But today, many organizations outsource their email infrastructure to Gmail and Outlook. As a result, thousands of domains have handed over the authority to send email on their behalf to the same third parties. While these third-party providers confirm that their users only send emails on behalf of the domains they administer, this protection can be bypassed by email forwarding.”