21 newly discovered bugs in Exim’s Mail Transfer Agent (MTA) software have been discovered as critical vulnerabilities. Adminstrators should patch ASAP.
What’s the nature of the vulerabilities?
Discovered by Qualsys Research and cleverly dubbed “21Nails,” the 21 vulnerabilities present in Exim’s mail transport agent (MTA) product are comprised of 10 remotely exploitable and 11 locally exploitable security flaws.
The vulnerabilities affect all versions of Exim dating back to 2004.
The list of all 21 vulnerabilities:
| CVE | Description | Type |
|---|---|---|
| CVE-2020-28007 | Link attack in Exim’s log directory | Local |
| CVE-2020-28008 | Assorted attacks in Exim’s spool directory | Local |
| CVE-2020-28014 | Arbitrary file creation and clobbering | Local |
| CVE-2021-27216 | Arbitrary file deletion | Local |
| CVE-2020-28011 | Heap buffer overflow in queue_run() | Local |
| CVE-2020-28010 | Heap out-of-bounds write in main() | Local |
| CVE-2020-28013 | Heap buffer overflow in parse_fix_phrase() | Local |
| CVE-2020-28016 | Heap out-of-bounds write in parse_fix_phrase() | Local |
| CVE-2020-28015 | New-line injection into spool header file (local) | Local |
| CVE-2020-28012 | Missing close-on-exec flag for privileged pipe | Local |
| CVE-2020-28009 | Integer overflow in get_stdinput() | Local |
| CVE-2020-28017 | Integer overflow in receive_add_recipient() | Remote |
| CVE-2020-28020 | Integer overflow in receive_msg() | Remote |
| CVE-2020-28023 | Out-of-bounds read in smtp_setup_msg() | Remote |
| CVE-2020-28021 | New-line injection into spool header file (remote) | Remote |
| CVE-2020-28022 | Heap out-of-bounds read and write in extract_option() | Remote |
| CVE-2020-28026 | Line truncation and injection in spool_read_header() | Remote |
| CVE-2020-28019 | Failure to reset function pointer after BDAT error | Remote |
| CVE-2020-28024 | Heap buffer underflow in smtp_ungetc() | Remote |
| CVE-2020-28018 | Use-after-free in tls-openssl.c | Remote |
| CVE-2020-28025 | Heap out-of-bounds read in pdkim_finish_bodyhash() | Remote |
Mail Transport Agent (MTA) servers tend to be easily reachable by outside attackers because the nature of mail servers necessitates being accessible from the Internet. For this reason, this is a dream target for attackers as it can present a good foothold in a network.
This is not the first time Exim has been in the news for vulnerabilities. In 2019, Microsoft warned of CVE-2019-10149, a Linux worm targeting Exim MTA with an RCE that made it possible to hack Azure servers.
What’s the risk?
Upon exploiting one or more of the 21Nails vulnerabilities, attackers can remote execute arbitrary code, create mail accounts, establish some persistence in Exim, traverse the network to exploit other vulnerable endpoints, et al.
Exposure is very high considering that scans show over 3 million Exim mail servers running vulnerable versions.
What versions of Exim are affected?
All versions of Exim MTA prior to 4.94.2
How can I protect against it?
Exim has released a patched version, 4.94.2. This is not without some complications though, as versions being updated prior to 4.94 will need to have server configuration changes made due to issues with “tainted data”:
Upgrade notes ------------- In case you need to upgrade from a version <4.94, you may encounter issues with *tainted data*. This is a security measure which we introduced with 4.94. Your configuration needs to be reworked. Alternatively you can use the exim-4.94.2+taintwarn branch. This branch tracks exim-4.94.2+fixes and adds a new main config option (the option is deprecated already today and will be ignored in a future release of Exim): "allow_insecure_tainted_data". This option allows you to turn the taint errors into warnings (Debian is set to include this "taintwarn" patch in its Exim 4.94.2 release).
References
Qualsys advisory:
https://www.qualys.com/2021/05/04/21nails/21nails.txt
Bleeping Computer article:
https://www.bleepingcomputer.com/news/security/critical-21nails-exim-bugs-expose-millions-of-servers-to-attacks/
Openwall thread on Exim upgrade:
https://www.openwall.com/lists/oss-security/2021/05/04/6
ZJ
