Millions of Exim Mail Servers Exposed to Zero-Day RCE Attacks

Cyber Security Threat Summary:
A critical zero-day vulnerability was disclosed in the Exim mail transfer agent (MTA) software, which if successfully exploited could enable an unauthenticated attacker to gain remote code execution on Internet-exposed servers. Tracked as CVE-2023-42115, the flaw resides in the SMTP service, which listens on TCP port 25 by default. According to Trend Micro’s Zero Day Initiative, which uncovered the flaw, CVE-2023-42115 results from a lack of proper validation of user-supplied data which could result in a write past the end of a buffer and further allow an attacker to execute code in the context of the service account.

In addition to CVE-2023-42115, ZDI also disclosed five other vulnerabilities impacting Exim MTA, ranging from medium to high severity:

  • CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVSS v3.0 8.1)
  • CVE-2023-42117: Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability (CVSS v3.0 8.1)
  • CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability (CVSS v3.0 7.5)
  • CVE-2023-42119: Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.1)
  • CVE-2023-42114: Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.7)
Security Officer Comments:
The above flaws impact all versions of Exim Although the bugs were disclosed to Exim back in June 2022, some have still not received a fix. According to Exim developer Heiko Schlittermann, fixes have been created for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116. Schlittermann noted on the Open Source Security (oss-sec) mailing list, that these fixes are available in a protected repository and are ready to be applied by the distribution maintainers. However, it is unclear if the repo will be made public or when the updates will be readily available. As for the remaining flaws, Schlittermann stated that these are debatable or miss information required to fix them. Exim is expected to fix these issues as soon as they “receive detailed information.”

Suggested Correction(s):
According to a Shodan search, there are currently over 3.5 million Exim servers exposed to the internet, most of which reside in the United States, followed by Russia and Germany. With patches not being readily available to secure vulnerable Exim servers, administrators have been advised to restrict remote access from the internet to prevent potential attacks.