Security
Headlines
HeadlinesLatestCVEs

Headline

Exim finally fixes 3 out of 6 vulnerabilities

Categories: Business Categories: News Tags: Exim

Tags: mta

Tags: cla

Tags: spf

Tags: nltm

Tags: cvss

Tags: cve-2023-42115

Tags: cve-2023-42116

Tags: cve-2023-42117

Tags: cve-2023-42118

Tags: cve-2023-42119

Tags: cve-2023-42114

Tags: dbs spa

Six vulnerabilities in the Exim message transfer agent have been fixed—over a year after they were reported.

(Read more…)

The post Exim finally fixes 3 out of 6 vulnerabilities appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#mac#linux#debian#perl#auth#zero_day

Exim is a message transfer agent (MTA) originally developed at the University of Cambridge for use on Unix systems connected to the internet, and is freely available under the terms of the GNU General Public Licence.

Even though the name may be new to you, a Shodan search revealed 3.5 million servers online. According to recent data, they account for more than half of all email servers. Most of these servers are in the US, Russia, Germany, and the Netherlands. The large numbers are, at least partly, due to the fact that on Debian-based Linux systems, Exim is the default MTA software.

For over a year, many of these servers have been vulnerable to six zero-day vulnerabilities. An anonymous researchers filed those vulnerabilities through the Zero Day Initiative (ZDI) that acts as an intermediary to reward researchers and helps them to responsibly disclose vulnerabilities.

The word “finally” in the title stems from the fact that these vulnerabilities were reported to Exim on June 14, 2022. After 10 months of silence, the ZDI made an enquiry to see if anything had been done about them and as a reply received a request to re-send the reports.

Another four months went by and ZDI sent an ultimatum announcing the intention to publish the case as a zero-day advisory on September 27, 2023.

From the description of the vulnerabilities there was no reason to think that these were minor bugs, not worthy of immediate attention. Let’s look, for example, at the vulnerability listed as “CVE-2023-42115 (CVSS score 9.8 out of 10): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.”

The specific flaw exists within the SMTP service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.

Now, Exim has acknowledged the bugs and published the available fixes on October 2, 2023 providing mitigation advice for all of them.

The delay seems to be a lack of communication where each side is blaming the other for not being clear and proactive enough. It’s hard to say who’s at fault here, but the issue remains that the goal of responsible disclosure wasn’t achieved.

What can Exim administrators do

Even though some researchers say that the vulnerabilities are not that severe, you may want to check if your setup is vulnerable and apply fixes or mitigations where needed.

The three vulnerabilities that have been fixed (CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116) are all related to Secure Password Authentication (SPA)/New Technology LAN Manager (NTLM), and EXTERNAL authentication. EXTERNAL authentication enables authentication based on some properties which are external to the Simple Mail Transfer Protocol (SMTP) session which is usually an x509 certificate.

If you do not use SPA/NTLM, or EXTERNAL authentication, you’re not affected. If you are you should install the latest version (4.96.1 or later).

The solution for CVE-2023-42117 is to not use Exim behind an untrusted proxy-protocol proxy. The proxy protocol is a simple protocol where the client sends a message to the server asking to make a connection from a specific local IP to a specific remote IP. Once the connection is made, traffic in both directions is relayed as is via the proxy. There are many trustworthy ones to chose from that will properly validate user-supplied data. Exim is working on a fix for this one.

The solution for CVE-2023-42118 is to not use the `spf` (Sender Policy Framework) condition in your access-control list (ACL). The specific flaw exists within the parsing of SPF macros and can only be exploited by network-adjacent attackers.

CVE-2023-42219 is not likely to be fixed by Exim. They feel users should use a trustworthy Domain Name System (DNS) resolver which is able to validate the data according to the DNS record types. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Exim.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Related news

Gentoo Linux Security Advisory 202402-18

Gentoo Linux Security Advisory 202402-18 - Multiple vulnerabilities have been discovered in Exim, the worst of which can lead to remote code execution. Versions greater than or equal to 4.97.1 are affected.

Ubuntu Security Notice USN-6455-1

Ubuntu Security Notice 6455-1 - It was discovered that Exim incorrectly handled validation of user-supplied data, which could lead to memory corruption. A remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Exim incorrectly handled validation of user-supplied data, which could lead to an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information.

Debian Security Advisory 5512-1

Debian Linux Security Advisory 5512-1 - Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the EXTERNAL or SPA/NTLM authenticators are used.

Debian Security Advisory 5512-1

Debian Linux Security Advisory 5512-1 - Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the EXTERNAL or SPA/NTLM authenticators are used.

Debian Security Advisory 5512-1

Debian Linux Security Advisory 5512-1 - Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the EXTERNAL or SPA/NTLM authenticators are used.

New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks

Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution. The list of flaws, which were reported anonymously way back in June 2022, is as follows - CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability

New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks

Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution. The list of flaws, which were reported anonymously way back in June 2022, is as follows - CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability

New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks

Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution. The list of flaws, which were reported anonymously way back in June 2022, is as follows - CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability

New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks

Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution. The list of flaws, which were reported anonymously way back in June 2022, is as follows - CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability

New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks

Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution. The list of flaws, which were reported anonymously way back in June 2022, is as follows - CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability