Millions of Exim instances are at risk of remote attacks due to several critical vulnerabilities affecting the Exim open-source mail transfer agent (MTA) that could allow attackers to compromise the servers and gain access to sensitive data, including emails.
The most critical vulnerabilities discovered in Exim include:
-
CVE-2023-42118 - An integer overflow issue in libspf2 when parsing SPF macros. A remote attacker can pass specially crafted data to the server, trigger an integer underflow and execute arbitrary code on the target system
-
CVE-2023-42117 - A buffer overflow issue in the smtp service. A remote attacker can send specially crafted data to the server, trigger memory corruption and execute arbitrary code on the target system
-
CVE-2023-42116 - A stack-based buffer overflow stemming from a boundary error when handling NTLM challenge requests. A remote unauthenticated attacker can send specially crafted data to the server, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
-
CVE-2023-42115 - An out-of-bounds write issue, which exists due to a boundary error when handling AUTH command. A remote non-authenticated attacker can send specially crafted data to the server, trigger an out-of-bounds write and execute arbitrary code on the target system.
In an advisory posted on the Open Source Security mailing list, Exim maintainers said that fixes for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116 are “available in a protected repository and are ready to be applied by the distribution maintainers.”
As per Exim project member Heiko Schlittermann, the team received the bug report from Trend Micro's Zero-Day Initiative (ZDI) project but it lacked the necessary details to develop a patch.
“Next contact with ZDI was in May 2023. Right after this contact we created project bug tracker for 3 of the 6 issues. 2 high scored of them are fixed (OOB access). A minor scored (info leak) is fixed too,” Schlittermann explained, adding that “the remaining issues are debatable or miss information we need to fix them.”
“We're more than happy to provide fixes for all issues as soon as we receive detailed information,” he said.
According to recent data, Exim is installed on more than 56% (342,337) out of a total of 602,000 mail servers available on the internet. A Shodan search showed that currently there are more than 3.5 million Exim servers exposed on the internet, with the majority of them located in the United States followed by Russia, Germany, the Netherlands, and Canada.