Get in Touch
Indiscriminate, opportunistic targeting.
Exim is a popular open-source mail transfer agent (MTA) used for routing and delivering email messages on Unix-like operating systems including Linux. It is designed to handle the task of sending and receiving the routing email messages between different email servers. Exim is highly configurable and flexible, making it a versatile choice for managing email services, especially in the context to mail servers.
Different security vulnerabilities have been disclosed in the Exim MTA. The vulnerabilities mentioned below could potentially allow malicious actors to compromise the servers and access sensitive data or disrupt email services:
- CVE-2023-42114 (CVSS score: 3.7) – Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability
- CVE-2023-42115 (CVSS score: 9.8) – Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2023-42116 (CVSS score: 8.1) – Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2023-42117 (CVSS score: 8.1) – Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability
- CVE-2023-42118 (CVSS score: 7.5) – Exim libspf2 Integer Underflow Remote Code Execution Vulnerability.
- CVE-2023-42115 is the most severe vulnerability which enables unauthenticated remote actors to execute arbitrary code on affected installations of Exim.
This vulnerability enables remote attackers to successfully gain complete root privileges on an Exim system, which can allow hackers to fully gain access of root privileges on the target server and execute commands to install programmes, modify data, create new accounts and change sensitive settings on the mail servers.
Exim has released a security update to the affected product and security fixes for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116. This means the previous versions are vulnerable to exploitation.
Containment, Mitigations & Remediations
It is highly recommended to promptly apply security patches and take necessary precautions to protect against this threat. In the absence of patches, it is advisable to refer to the latest security advisories and updates provided by Exim or relevant security organisation. According to ZDI, limiting interaction with the application is the only “salient” mitigation strategy.
Indicators of Compromise
No specific Indicators of Compromise (IoC) are available currently.
Exim occupies a significant proportion of the virtualisation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack to focus on, Exim products have become a prime target for threat actors. Dut to the fact that Exim Mail Servers have become an integral aspect of both personal and business affairs, threat actors will continue to exploit and expose security flaws in Exim Mail Servers.
No attribution to specific threat actors or groups has been identified at the time of writing.
TA0002 – Remote Execution