Millions of Exim Mail Servers Vulnerable to Zero-Day RCE Attacks Due to Critical Flaw

September 29, 2023

A serious zero-day vulnerability has been identified in all versions of the Exim mail transfer agent (MTA) software, which could allow unauthorized individuals to execute remote code on servers that are exposed to the internet. This vulnerability was discovered by an anonymous security researcher and reported via Trend Micro's Zero Day Initiative (ZDI). The security flaw, identified as CVE-2023-42115, is an Out-of-bounds Write weakness that exists within the SMTP service.

The flaw can lead to software crashes or data corruption if exploited successfully, but it can also be used by attackers to execute code or commands on vulnerable servers. As explained in a ZDI security advisory published on Wednesday, "The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account."

ZDI alerted the Exim team to the vulnerability in June 2022 and again in May 2023, but the developers have yet to update on their progress in patching the flaw. Consequently, ZDI published an advisory on September 27, revealing the details of the CVE-2023-42115 zero-day along with a complete timeline of all communications with the Exim team.

MTA servers like Exim are particularly vulnerable targets, mainly because they are often accessible over the internet, thus providing attackers with easy entry points into a target's network. The National Security Agency (NSA) stated in May 2020 that the infamous Russian military hacking group, Sandworm, has been exploiting the critical CVE-2019-10149 Exim flaw since at least August 2019.

Exim is the default MTA on Debian Linux distributions and is the most popular MTA software worldwide, according to a mail server survey conducted in September 2023. The survey found that Exim is installed on over 56% of the total 602,000 mail servers accessible on the internet, which equates to just over 342,000 Exim servers. A Shodan search reveals that over 3.5 million Exim servers are currently exposed online, with most of them located in the United States, followed by Russia and Germany.

While a patch to secure vulnerable Exim servers against potential attacks is not yet available, ZDI has advised administrators to limit remote access from the internet as a preventative measure against possible exploitation attempts. In ZDI's words, "Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application."

Latest News

• Exploit for Critical Microsoft SharePoint Server Vulnerability Released
• CISA Highlights Exploitation of Legacy JBoss RichFaces Vulnerability
• Over 2,000 Entities Hit by Cl0p Ransomware Group Exploiting MOVEit Vulnerability
• Progress Software Issues Critical Alert for WS_FTP Server Vulnerability
• Cisco Calls on Administrators to Address Zero-Day IOS Software Vulnerability