Thousands of servers running the Exim mail transfer agent are vulnerable to potential attacks that exploit critical vulnerabilities, allowing remote execution of malicious code with little or no user interaction.
The vulnerabilities were reported on Wednesday by Zero Day Initiative, but they largely escaped notice until Friday when they surfaced in a security mail list. Four of the six bugs allow for remote code execution and carry severity ratings of 7.5 to 9.8 out of a possible 10. Exim said it has made patches for three of the vulnerabilities available in a private repository. The status of patches for the remaining three vulnerabilities—two of which allow for RCE—are unknown. Exim is an open source mail transfer agent that is used by as many as 253,000 servers on the Internet.
“Sloppy handling” on both sides
ZDI provided no indication that Exim has published patches for any of the vulnerabilities, and at the time this post went live on Ars, the Exim website made no mention of any of the vulnerabilities or patches. On the OSS-Sec mail list on Friday, an Exim project team member said that fixes for two of the most severe vulnerabilities and a third, less severe one are available in a “protected repository and are ready to be applied by the distribution maintainers.”
There were no more details about the fixes, precisely how admins obtain them, or if there are mitigations available for those who can’t patch right away. Exim project team members didn’t respond to an email asking for additional information.
The most severe of the vulnerabilities, tracked as CVE-2023-42115, is among those that the Exim team member said have been patched. ZDI described it as an out-of-bounds flaw in an Exim component that handles authentication.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim,” Wednesday’s advisory stated. “Authentication is not required to exploit this vulnerability.”
Another patched vulnerability, tracked as CVE-2023-42116, is a stack-based overflow in the Exim challenge component. Its severity rating is 8.1 and also allows for RCE.
“The specific flaw exists within the handling of NTLM challenge requests,” ZDI said. “The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.”
The third fixed vulnerability is tracked as CVE-2023-42114, which allows for disclosure of sensitive information. It carries a rating of 3.7.
Some critics have called out the Exim project for not transparently disclosing the vulnerabilities. Adding more fuel to the critiques, the ZDI disclosures provided a timeline that indicated company representatives notified Exim project members of the vulnerabilities in June 2022. A handful of back-and-forth interactions occurred over the intervening months until ZDI disclosed them Wednesday.
In a post on Friday to the OSS-Sec mail list, Exim project team member Heiko Schlittermann said that after receiving the private ZDI report in June 2022, team members asked for additional details “but didn’t get answers we were able to work with.” The next contact didn’t occur until May 2023. “Right after this contact we created project bug tracker for 3 of the 6 issues,” Schlittermann said. “The remaining issues are debatable or miss information we need to fix them.”
Some people participating in the discussion criticized both sides.
“This looks like sloppy handling of these issues so far by both ZDI and Exim—neither team pinging the other for 10 months, then Exim taking 4 months to fix even the 2 high-scored issues it did have sufficient info on,” the distinguished security researcher known as Solar Designer wrote. “What are you doing to improve the handling from this point on?”
The critic also asked Schlittermann when OS distributions will be permitted to make the Exim updates public since the fixes are currently in a protected repository. “I suggest that you set a specific date/time e.g. in 2 days from now when both the Exim project will make the repo and the fixed bug entries … public _and_ distros will release updates.”
No one from Exim responded to those questions or, as mentioned earlier, to questions Ars sent by email shortly afterward.
With only a limited number of details becoming available so late on a Friday, patching and potential mitigations may not be as straightforward as some admins might hope. Despite any potential hardships, the vulnerabilities sound serious. In 2020, the National Security Agency reported that hackers in Sandworm, an elite threat actor backed by the Kremlin, had been exploiting a critical Exim vulnerability to compromise networks belonging to the US government and its partners. Now that new Exim vulnerabilities have come to light, it wouldn’t be surprising if threat actors hope to capitalize on them.