Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution.
The list of flaws, which were reported anonymously way back in June 2022, is as follows -
- CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability
- CVE-2023-42115 (CVSS score: 9.8) - Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
- CVE-2023-42116 (CVSS score: 8.1) - Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
- CVE-2023-42117 (CVSS score: 8.1) - Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability
- CVE-2023-42118 (CVSS score: 7.5) - Exim libspf2 Integer Underflow Remote Code Execution Vulnerability
- CVE-2023-42119 (CVSS score: 3.1) - Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability
The most severe of the vulnerabilities is CVE-2023-42115, which allows remote, unauthenticated attackers to execute arbitrary code on affected installations of Exim.
"The specific flaw exists within the SMTP service, which listens on TCP port 25 by default," the Zero Day Initiative said in an alert published this week.
"The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account."
Exim maintainers, in a message shared on the Open Source Security mailing list oss-security, said fixes for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116 are "available in a protected repository and are ready to be applied by the distribution maintainers."
"The remaining issues are debatable or miss information we need to fix them," adding it asked ZDI more specifics about the issues and that it "didn't get answers we were able to work with" until May 2023. The Exim team further said they are awaiting detailed specifics on the other three shortcomings.
However, the ZDI pushed back against claims about "sloppy handling" and "neither team pinging the other for 10 months," stating it reached out several times to the developers.
"After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, 'you do what you do,'" it said.
"If these bugs have been appropriately addressed, we will update our advisories with a link to the security advisory, code check-in, or other public documentation closing the issue."
In the absence of patches, the ZDI recommends restricting interaction with the application as the only "salient" mitigation strategy.
This is not the first time security flaws have been uncovered in the widely used mail transfer agent. In May 2021, Qualys disclosed a set of 21 vulnerabilities collectively tracked as 21Nails that enable unauthenticated attackers to achieve complete remote code execution and gain root privileges.
Previously in May 2020, the U.S. government reported that hackers affiliated with Sandworm, a state-sponsored group from Russia, had been exploiting a critical Exim vulnerability (CVE-2019-10149, CVSS score: 9.8) to penetrate sensitive networks.
The development also comes hot on the heels of a new study by researchers from the University of California San Diego that discovered a novel technique called forwarding-based spoofing which takes advantage of weaknesses in email forwarding to send messages impersonating legitimate entities, thereby compromising on integrity.
"The original protocol used to check the authenticity of an email implicitly assumes that each organization operates its own mailing infrastructure, with specific IP addresses not used by other domains," the research found.
"But today, many organizations outsource their email infrastructure to Gmail and Outlook. As a result, thousands of domains have delegated the right to send email on their behalf to the same third party. While these third-party providers validate that their users only send email on behalf of domains that they operate, this protection can be bypassed by email forwarding."