Critical Vulnerability in Exim Mail Servers Affects 1.5 Million Instances

July 12, 2024

Censys, a cybersecurity company, has issued a warning that a severe vulnerability exists in over 1.5 million instances of Exim mail transfer agent (MTA). The bug, identified as CVE-2024-39929, allows threat actors to bypass security measures. Although a patch was released by Exim developers, many servers are still at risk. The vulnerability arises from the incorrect parsing of multiline RFC2231 header filenames, allowing remote attackers the opportunity to deliver harmful executable attachments into users' mailboxes by bypassing the $mime_filename extension-blocking protection mechanism. Censys expressed concern about the potential impact of this vulnerability, stating, "If a user were to download or run one of these malicious files, the system could be compromised."

Despite the availability of a proof of concept, no active exploitation of this vulnerability is known to date. Censys reports that as of July 10, 2024, there are 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier). These servers are primarily located in the United States, Russia, and Canada. Although the flaw requires email recipients to open the malicious attachment to be affected, it enables threat actors to bypass security checks based on file extensions, allowing them to deliver dangerous files typically blocked, such as executables, into their targets' mailboxes.

Administrators who are unable to immediately upgrade Exim are encouraged to limit remote access to their servers from the Internet to prevent potential exploitation attempts. Exim servers, like other MTA servers, are frequently targeted as they are often accessible via the Internet, making them potential entry points for threat actors. Exim is the default Debian Linux MTA and is the most widely used MTA software globally, according to a recent mail server survey.

The survey indicates that over 59% of the 409,255 mail servers accessible on the Internet were running Exim, representing over 241,000 Exim instances. A Shodan search reveals that over 3.3 million Exim servers are currently exposed online, primarily in the United States, followed by Russia and the Netherlands. Censys found 6,540,044 public-facing mail servers online, with approximately 74% (4,830,719) running Exim.

The National Security Agency (NSA) disclosed in May 2020 that the infamous Russian military hacking group Sandworm exploited a critical Exim flaw (CVE-2019-10149, also known as The Return of the WIZard) since August 2019. More recently, in October, Exim developers patched three zero-days disclosed through Trend Micro's Zero Day Initiative (ZDI), one of which (CVE-2023-42115) exposed millions of Internet-exposed Exim servers to pre-auth RCE attacks.

Related News

• Exim Patches Three Critical Zero-Day Bugs Amid Security Concerns
• Millions of Exim Mail Servers Vulnerable to Zero-Day RCE Attacks Due to Critical Flaw

Latest News

• Akira Ransomware: Accelerated Data Exfiltration in Roughly Two Hours
• Rise in Attacks by Crystalray, the New OSS-Based Threat Actor
• PHP Flaw Exploited by Threat Actors to Disseminate Malware and Initiate DDoS Attacks
• VMware Addresses High-Severity SQL-Injection Vulnerability in Aria Automation Product
• Critical Vulnerability in GitLab Allows Attackers to Execute Pipelines as Other Users