Last week, Trend Micro’s Zero Day Initiative (ZDI) revealed six zero-day vulnerabilities in Exim, a popular mail transfer agent. As of Monday, three of these vulnerabilities remain unpatched. The vulnerabilities were initially discovered by an anonymous researcher who reported them to ZDI and the Openwall Project in June 2022. ZDI then disclosed the zero days in separate advisories last Wednesday, highlighting the need to limit interaction with affected applications as the only current mitigation strategy. The advisories also warned that no authentication is required for exploitation.
The most critical vulnerability among the six is an out-of-bounds write remote code execution flaw called CVE-2023-42115, which received a critical CVSS score of 9.8. This vulnerability exists in the Simple Mail Transfer Protocol (SMTP), the protocol used for sending and receiving emails. However, it remains uncertain whether these zero-day vulnerabilities are actively being exploited.
ZDI provided an advisory stating, “An attacker can leverage this vulnerability to execute code in the context of the service account.” Openwall has released patches for three of the vulnerabilities, including CVE-2023-42115, on Friday. However, the remaining three zero days are still awaiting fixes.
For CVE-2023-42118, which received a CVSS score of 7.5, a recommended mitigation strategy is to avoid using the ‘spf’ condition in the ACL. As for low-scoring CVE-2023-42119, Exim is still considering the best course of action. Similarly, although CVE-2023-42117 received an 8.1 CVSS score, no fix has been released yet.
The disclosure timeline surrounding these vulnerabilities has raised some questions. ZDI reported the vulnerabilities to the Openwall Project on June 14, 2022, and publicly released the information on September 27. However, there were difficulties in the timeline between these two dates. ZDI requested an update on April 25, but Openwall asked for the reports to be resent. After ZDI re-sent the reports, they asked for an update again five months later and informed Exim about the intent to publish a zero-day advisory on September 27.
Heiko Schlittermann, an Exim developer, published an email through the Openwall Project, which expressed doubts about ZDI’s disclosure timeline. While patches for three of the vulnerabilities, including CVE-2023-42115, were available, it is unclear when they were completed. Schlittermann stated in the email, “The ZDI contacted us in June 2022. We asked about details but didn’t get answers we were able to work with… The remaining issues are debatable or miss information we need to fix them.”
In response to Schlittermann’s criticisms, a ZDI representative replied on the Open Source Security List on September 29. They mentioned that ZDI contacted Exim developers multiple times, but the responses and progress were slow. When the disclosure timeline was exceeded by several months, ZDI notified the maintainer about the intention to publicly disclose the bugs. They also added that they would update the advisories once the developers provide the necessary information to close the issues.
Exim has urged users to update their software to version 4.96.1 to mitigate the impact of these vulnerabilities. Schlittermann also apologized to users for any inconvenience caused. These six zero-day vulnerabilities in Exim highlight a recurring issue, as there have been previous instances of multiple vulnerabilities in the message transfer agent software. While patches have been made available, it remains to be seen how quickly users will apply them. For example, in 2020, the National Security Agency warned about active exploitation of a known Exim vulnerability by the Russian threat group Sandworm, which was first disclosed and patched in 2019.
Neither Heiko Schlittermann nor the Openwall Project provided any comments at the time of press. However, a ZDI spokesperson stated that they had reached out multiple times to the developers regarding the bug reports but made little progress. After the disclosure timeline was significantly exceeded, they informed the maintainer about the intention to publicly disclose the bugs. They also pledged to update the advisories with relevant information once it is provided by the developers.
In conclusion, the disclosure of these zero-day vulnerabilities in Exim underscores the importance of timely patches and effective communication between security researchers and software developers. Users are strongly advised to update their software to the latest version to mitigate the risks associated with these vulnerabilities.