Multiple security vulnerabilities have been revealed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution.
The list of bugs, which were reported anonymously back in June 2022, is as follows:
- CVE-2023-42114 (CVSS Score: 3.7) – Exim NTLM Challenge Out-of-Bounds Read Information Disclosure Vulnerability
- CVE-2023-42115 (CVSS Score: 9.8) – Exim AUTH Out-of-Bounds Write Remote Code Execution Vulnerability
- CVE-2023-42116 (CVSS Score: 8.1) – Exim SMTP Challenge Stack-Based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2023-42117 (CVSS Score: 8.1) – Improper Neutralization of Exim Special Elements Remote Code Execution Vulnerability
- CVE-2023-42118 (CVSS Score: 7.5) – Exim libspf2 Integer Overflow Remote Code Execution Vulnerability
- CVE-2023-42119 (CVSS Score: 3.1) – Exim dnsdb Out of Bounds Read Information Disclosure Vulnerability
The most serious of the vulnerabilities is CVE-2023-42115, which allows unauthenticated remote attackers to execute arbitrary code on affected installations of Exim.
“The specific flaw exists within the SMTP service, which listens on TCP port 25 by default,” the Zero Day Initiative said in an alert published this week.
“The issue is due to a lack of proper validation of user-supplied data, which can result in a write beyond the end of the buffer. An attacker can exploit this vulnerability to execute code in the context of the service account” .
Exim maintainers, in a message shared on the Open Source Security oss-security mailing list, said that fixes for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116 are “available in a repository protected and are ready to be applied by distribution maintainers.”
“The remaining issues are either debatable or missing information we need to fix them,” adding that it asked ZDI for more details about the issues and “did not get answers that we could work with” until May 2023. The Exim team also said they are awaiting specific details on the other three deficiencies.
However, ZDI rejected claims of “careless handling” and “neither team pinging the other for 10 months”, stating that it contacted the developers several times.
“After our disclosure schedule was exceeded by many months, we notified the responsible party of our intention to publicly disclose these errors, at which point we were told, ‘do what you do,'” he said.
“If these bugs have been adequately fixed, we will update our advisories with a link to the security advisory, code check, or other public documentation that closes the issue.”
In the absence of patches, the ZDI recommends restricting interaction with the application as the only “notable” mitigation strategy.
This is not the first time security flaws have been discovered in the widely used mail transfer agent. In May 2021, Qualys disclosed a set of 21 vulnerabilities collectively tracked as 21Nails that allow unauthenticated attackers to achieve full remote code execution and gain root privileges.
Previously, in May 2020, the US government reported that hackers affiliated with Sandworm, a state-sponsored Russian group, had been exploiting a critical Exim vulnerability (CVE-2019-10149, CVSS score: 9, 8) to penetrate sensitive networks.
The development also comes on the heels of a new study by researchers at the University of California, San Diego that discovered a novel technique called forward-based spoofing that takes advantage of weaknesses in email forwarding to send messages posing as entities. legitimate, thus compromising integrity. .
“The original protocol used to check the authenticity of an email implicitly assumes that each organization operates its own email infrastructure, with specific IP addresses not used by other domains,” the research found.
“But today, many organizations outsource their email infrastructure to Gmail and Outlook. As a result, thousands of domains have delegated the right to send email on their behalf to the same third party. While these third-party providers validate that their users only send email on behalf of the domains they operate, this protection can be bypassed by email forwarding.