Critical Vulnerabilities Found in Exim MTA Servers
The Critical Flaws Are Leaving Millions of Servers Exposed.
A few newly discovered critical vulnerabilities in the Exim mail transfer agent software are allowing unauthenticated remote attackers to execute arbitrary code and gain root privilege on mail servers.
Exim is a well-known mail transfer agent available for major Unix-like operating systems. Exim comes pre-installed on Linux distributions such as Debian and approximately 60% of the internet servers are running on Exim.
10 remotely exploitable and 11 locally exploitable security flaws were found and reported by the Qualys Research Team and now are collectively known as 21Nails.
It can be considered an interesting fact, that all of these vulnerabilities are part of the versions released before Exim 4.94.2, therefore any versions released prior to this update may be vulnerable to any attacks trying to exploit the 21Nails vulnerabilities.
Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server.
One of the vulnerabilities discovered by the Qualys Research Team (CVE-2020-28017) affects all versions of Exim going back all the way to 2004 (going back to the beginning of its Git history 17 years ago).
The MTA servers like Exim represent an easy target to attacks because in most cases, they are reachable over the Internet, therefore, providing the attackers with a simple entry point into a target’s network.
The problem is that if not patched as soon as possible, the servers in question could fall victim to incoming remote command execution attacks, therefore all Exim users should upgrade as soon as possible to the latest available Exim version in order to block an incoming attack targeting their vulnerable servers.
If you need to upgrade from an Exim version older than 4.94, you will also need to recreate your server configuration due to issues with *tainted data*, according to Exim developer Heiko Schlittermann.
Alternatively you can use the exim-4.94.2+taintwarn branch. This branch tracks exim-4.94.2+fixes and adds a new main config option (the option is deprecated already today and will be ignored in a future release of Exim): ‘allow_insecure_tainted_data’.
This option allows you to turn the taint errors into warnings. (Debian is set to include this “taintwarn” patch in its Exim 4.94.2 release).