Exim is a free mail transfer agent (MTA) used on Unix-like operating systems, 59% of all MTA solutions used worldwide are Exim as of May 2021. The maintainers of the Exim email server software have released security updates to address a collection of 21 vulnerabilities, dubbed 21Nails, that can be exploited by attackers to take over servers and access email traffic through them

The vulnerabilities were discovered by security firm Qualys, experts recommend to update installs to Exim version 4.94. The 21Nails vulnerabilities, if left unpatched, could allow threat actors to take over these systems and then intercept or tamper with email communications passing through the Exim server.

21Nails exim flaws

11 issues are local vulnerabilities, while 10 of them could be remotely exploited, experts pointed out all Exim server versions released since 2004 are affected. Below the list of bugs discovered by Qualys:

Experts have not tried to exploit all of these vulnerabilities, they explained that successfully exploited 4 LPEs (Local Privilege Escalations) and 3 RCEs (Remote Code Executions):

  • CVE-2020-28007 (LPE, from user “exim” to root);
  • CVE-2020-28008 (LPE, from user “exim” to root);
  • CVE-2020-28015 (LPE, from any user to root);
  • CVE-2020-28012 (LPE, from any user to root, if allow_filter is true);
  • CVE-2020-28020 (unauthenticated RCE as “exim”, in Exim < 4.92);
  • CVE-2020-28018 (unauthenticated RCE as “exim”, in 4.90 <= Exim < 4.94, if TLS encryption is provided by OpenSSL);
  • CVE-2020-28021 (authenticated RCE, as root);
  • CVE-2020-28017 is also exploitable (unauthenticated RCE as “exim”), but requires more than 25GB of memory in the default configuration.

Experts announced they will not publish that exploits for now.

This is not the first time that experts disclose vulnerabilities in EXIM software, in May 2020 the U.S. National Security Agency (NSA) warned that Russia-linked APT group tracked Sandworm Team were exploiting a critical vulnerability (CVE-2019-10149) in the Exim mail transfer agent (MTA) software since at least August 2019.

The flaw is a heap-based buffer overflow, tracked as CVE-2019-16928, that resides in the string_vformat (string.c). An attacker could exploit the flaw using an extraordinary long EHLO string to crash the Exim process that is receiving the message.