Last week, a disorderly disclosure process resulted in the release of information on six vulnerabilities in the Exim mail transfer agent. The disclosures came just five days before patches for the issues were released by the maintainers. This left organizations potentially open to attacks, including the most serious flaw, a critical remote code execution (RCE) vulnerability.
The six vulnerabilities range from information disclosure issues to the critical RCE bug. The RCE vulnerability, which can be exploited through a simple email message with no authentication, has a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), according to the Zero Day Initiative’s listing of published advisories.
On October 2, the maintainers of Exim released version 4.96.1 of the software to fix three of the vulnerabilities. However, information on the six issues was disclosed last week by the Zero Day Initiative, a third-party bug bounty program run by security firm Trend Micro. The disclosure was in line with their policy of releasing vulnerability information if the issues are not addressed within four months.
The potential risk posed by these vulnerabilities is significant, considering that between 250,000 and 3.5 million Exim servers are currently used by organizations for email handling. Mail servers are popular targets for attackers, as they can be exploited to compromise sensitive information or misuse the server for malicious activities such as sending spam emails.
Exim and other mail servers have historically been targeted by attackers because exploiting them can be as easy as sending a specially crafted email. In 2019, a critical vulnerability in Exim was discovered by researchers at Qualys. At that time, there were no known exploits. However, the following year, the National Security Agency warned that the Russia-linked Sandworm group had successfully exploited the flaw to compromise organizations.
The good news is that, so far, no exploits for the latest vulnerabilities have been released. Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, stated that they have no indication of the potential exploitability of these bugs and are not aware of any active exploits using them.
Exim is the most popular mail transfer agent on the Internet, accounting for 59% of identifiable mail servers. It is followed by Postfix, another open-source mail transfer agent, with 149,000 detectable installations. Querying the Shodan scanner, almost 3.5 million Exim servers were found, including 1.9 million in the US. The flexibility, stability, and efficiency of Exim make it a versatile solution, providing an economical self-hosting option with ownership and privacy control over email infrastructure.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), five previous vulnerabilities in the Exim software have been exploited by attackers between 2010 and 2019. Microsoft Exchange is another common target, accounting for 15 of the known exploited vulnerabilities tracked by CISA.
Exacerbating the typical problems with disclosure and patching are disagreements between the maintainers of Exim and the researchers at the Zero Day Initiative. The Zero Day Initiative reported the vulnerabilities to the vendor in June 2022 but received little progress in response. After their disclosure timeline was exceeded by many months, they notified the maintainer of their intent to publicly disclose the bugs. The maintainer had a different perspective, stating that the ZDI contacted them in June 2022 but provided insufficient details to work with. The first contact with the ZDI after that was in May 2023, at which point the Exim maintainers created a project bug tracker for three of the six issues.
One of the challenges in securing Exim mail servers is the lack of regular updates. A scan conducted in March found that only 14% of Exim servers had the latest software installed. Many of these servers are configured and then left without updates, which leaves them vulnerable to exploits. Some instances have even been observed where Exim systems are running outdated versions that date back to 2014.
To mitigate the risk, companies using Exim mail servers should patch their software to version 4.96.1 as soon as possible. This will ensure that the latest vulnerabilities are addressed and reduce the risk of exploitation. As email servers continue to be popular targets for attackers, maintaining up-to-date software and following best practices for security is crucial in protecting sensitive information and preventing unauthorized access.