By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

“21Nails” in Exim MTA Leave It Critically Exposed

21 newly discovered bugs in Exim’s Mail Transfer Agent (MTA) software have been discovered as critical vulnerabilities. Adminstrators should patch ASAP.


What’s the nature of the vulerabilities?

Discovered by Qualsys Research and cleverly dubbed “21Nails,” the 21 vulnerabilities present in Exim’s mail transport agent (MTA) product are comprised of 10 remotely exploitable and 11 locally exploitable security flaws.

The vulnerabilities affect all versions of Exim dating back to 2004.

The list of all 21 vulnerabilities:

CVEDescriptionType
CVE-2020-28007Link attack in Exim’s log directoryLocal
CVE-2020-28008Assorted attacks in Exim’s spool directoryLocal
CVE-2020-28014Arbitrary file creation and clobberingLocal
CVE-2021-27216Arbitrary file deletionLocal
CVE-2020-28011Heap buffer overflow in queue_run()Local
CVE-2020-28010Heap out-of-bounds write in main()Local
CVE-2020-28013Heap buffer overflow in parse_fix_phrase()Local
CVE-2020-28016Heap out-of-bounds write in parse_fix_phrase()Local
CVE-2020-28015New-line injection into spool header file (local)Local
CVE-2020-28012Missing close-on-exec flag for privileged pipeLocal
CVE-2020-28009Integer overflow in get_stdinput()Local
CVE-2020-28017Integer overflow in receive_add_recipient()Remote
CVE-2020-28020Integer overflow in receive_msg()Remote
CVE-2020-28023Out-of-bounds read in smtp_setup_msg()Remote
CVE-2020-28021New-line injection into spool header file (remote)Remote
CVE-2020-28022Heap out-of-bounds read and write in extract_option()Remote
CVE-2020-28026Line truncation and injection in spool_read_header()Remote
CVE-2020-28019Failure to reset function pointer after BDAT errorRemote
CVE-2020-28024Heap buffer underflow in smtp_ungetc()Remote
CVE-2020-28018Use-after-free in tls-openssl.cRemote
CVE-2020-28025Heap out-of-bounds read in pdkim_finish_bodyhash()Remote

Mail Transport Agent (MTA) servers tend to be easily reachable by outside attackers because the nature of mail servers necessitates being accessible from the Internet. For this reason, this is a dream target for attackers as it can present a good foothold in a network.

This is not the first time Exim has been in the news for vulnerabilities. In 2019, Microsoft warned of CVE-2019-10149, a Linux worm targeting Exim MTA with an RCE that made it possible to hack Azure servers.


What’s the risk?

Upon exploiting one or more of the 21Nails vulnerabilities, attackers can remote execute arbitrary code, create mail accounts, establish some persistence in Exim, traverse the network to exploit other vulnerable endpoints, et al. 

Exposure is very high considering that scans show over 3 million Exim mail servers running vulnerable versions.  

 
What versions of Exim are affected?

All versions of Exim MTA prior to 4.94.2
 

How can I protect against it?

Exim has released a patched version, 4.94.2. This is not without some complications though, as versions being updated prior to 4.94 will need to have server configuration changes made due to issues with “tainted data”:

Upgrade notes
-------------

In case you need to upgrade from a version <4.94, you may encounter
issues with *tainted data*. This is a security measure which we
introduced with 4.94.

Your configuration needs to be reworked.

Alternatively you can use the exim-4.94.2+taintwarn branch. This branch tracks exim-4.94.2+fixes and adds a new main config option (the option is deprecated already today and will be ignored in a future release of Exim): "allow_insecure_tainted_data". This option allows you to turn the taint errors into warnings (Debian is set to include this "taintwarn" patch in its Exim 4.94.2 release).

 

References

Qualsys advisory:
https://www.qualys.com/2021/05/04/21nails/21nails.txt

Bleeping Computer article:
https://www.bleepingcomputer.com/news/security/critical-21nails-exim-bugs-expose-millions-of-servers-to-attacks/

Openwall thread on Exim upgrade:
https://www.openwall.com/lists/oss-security/2021/05/04/6

ZJ

Previous Post

macOS 11.3 Update Patches Anti-Malware Bypass Zero-Day

Next Post

Dell issues update to fix multiple critical privilege escalation vulnerabilities

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.