Researchers have spotted that thousands of servers running the Exim mail transfer agent are vulnerable to potential attacks that exploit critical vulnerabilities, allowing remote execution of malicious code with little or no user interaction.
Exim is an open-source mail transfer agent that is used by as many as 253,000 servers on the Internet.
The vulnerabilities were identified by Zero Day Initiative. Four of the six bugs allow for remote code execution and carry severity ratings of 7.5 to 9.8. Exim said it has made patches for three of the vulnerabilities available in a private repository. The status of patches for remaining three vulnerabilities two of which allow for RCE is unknown.
There were no more details about the fixes, precisely how admins obtain them, or if there are mitigations available for those who can’t patch right away.
The most severe of the vulnerabilities tracked as CVE-2023-42115, is among those that the Exim team member said have been patched. It is an out-of-bounds flaw in an Exim component that handles authentication.It allows remote attackers to execute arbitrary code on affected installations of Exim and authentication is not required.
The next vulnerability, tracked as CVE-2023-42116 with a CVSS score of 8.1, is a stack-based overflow in the Exim challenge component and allows for RCE. The specific flaw exists within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
The third fixed vulnerability is tracked as CVE-2023-42114 with a CVSS score of 3.7, which allows for disclosure of sensitive information.
Some critics have called out the Exim project for not transparently disclosing the vulnerabilities. The ZDI disclosures provided a timeline that indicated company representatives notified Exim project members of the vulnerabilities in June 2022. A handful of back-and-forth interactions occurred over the intervening months until ZDI disclosed them Wednesday.