Exim, the popular mail transfer agent, has addressed three of the six zero-day vulnerabilities that were revealed last week through Trend Micro's Zero Day Initiative (ZDI). One of these vulnerabilities, CVE-2023-42115, could potentially allow remote unauthenticated attackers to execute code due to an Out-of-bounds Write weakness in the SMTP service. This vulnerability was discovered by an anonymous security researcher.
The ZDI advisory stated, 'The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer.'
The Exim development team, in the changelog of version 4.96.1, stated, 'Fix a possible OOB write in the external authenticator, which could be triggered by externally-supplied input.' The team also addressed a remote code execution bug (CVE-2023-42114) and an information disclosure vulnerability (CVE-2023-42116).
Heiko Schlittermann, an Exim developer, revealed on the Open Source Security (oss-sec) mailing list that these fixes were already 'available in a protected repository' and 'ready to be applied by the distribution maintainers.'
Despite being rated with a severity score of 9.8/10 by the ZDI team, Exim clarified that the successful exploitation of CVE-2023-42115 heavily depends on the use of external authentication on the targeted servers. This drastically reduces the number of Exim mail servers potentially vulnerable to attacks, even though 3.5 million Exim servers are exposed online, as per Shodan.
watchTowr Labs, in their analysis of the vulnerabilities, agreed with Exim's assessment, stating that these zero-days 'require a very specific environment to be accessible.' They also provided a list of all configuration requirements on vulnerable Exim servers necessary for successful exploitation.
Aliz Hammond, a researcher at watchTowr, advised, 'Most of us don't need to worry. If you're one of the unlucky ones who uses one of the listed features though, you'll be keen to get more information before undertaking ZDI's advice to 'restrict interaction with the application'. So, our advice is the usual - patch when you can, once patches are available [..] But in the meantime, don't panic - this one is more of a damp squib than a world-ending catastrophe.'