21Nails - 21 New Vulnerabilities Disclosed Affecting Exim MTA

Description

FortiGuard Labs is aware of recently disclosed vulnerabilities in the Exim MTA (Mail Transfer Agent). Disclosed by security researchers at Qualys, 21 vulnerabilities were discovered affecting Exim. Exim MTA is one of the most widely used mail transfer agents online, with an estimated 60% of internet servers using Exim. The vulnerabilities are collectively known as "21Nails" and contain a variety of authenticated/unauthenticated, local/remote and privilege escalation vulnerabilities. Attackers can leverage these vulnerabilities to gain root access to the targeted server.


What are the Vulnerabiilities?

There are 21 vulnerabilities. 11 are local vulnerabilities and 10 are remote.


They are:


Local vulnerabilities

CVE-2020-28007: Link attack in Exim's log directory

CVE-2020-28008: Assorted attacks in Exim's spool directory

CVE-2020-28014: Arbitrary file creation and clobbering

CVE-2021-27216: Arbitrary file deletion

CVE-2020-28011: Heap buffer overflow in queue_run()

CVE-2020-28010: Heap out-of-bounds write in main()

CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()

CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()

CVE-2020-28015: New-line injection into spool header file (local)

CVE-2020-28012: Missing close-on-exec flag for privileged pipe

CVE-2020-28009: Integer overflow in get_stdinput()


Remote vulnerabilities

CVE-2020-28017: Integer overflow in receive_add_recipient()

CVE-2020-28020: Integer overflow in receive_msg()

CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()

CVE-2020-28021: New-line injection into spool header file (remote)

CVE-2020-28022: Heap out-of-bounds read and write in extract_option()

CVE-2020-28026: Line truncation and injection in spool_read_header()

CVE-2020-28019: Failure to reset function pointer after BDAT error

CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

CVE-2020-28018: Use-after-free in tls-openssl.c

CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()


What Operating Systems are Affected?

Exim versions older than versions 4.94.2 are affected.

All Linux systems running Exim installations older than 4.94.2 are affected. Regarding Linux machines, it is recommended that administrators visit their respective Linux vendor homepage for further guidance, as some Linux vendor will backport security updates to older versions. Some Linus vendors may just apply updates in older versions of the software without the need for a full upgrade.


Has the Vendor Issued a Patch?

Yes. It is recommended that organizations running the affected software update to the latest version (4.94.2) immediately.


How Serious is this Threat?

HIGH. Many MTA servers are internet facing and are an attractive vector for threat actors. Also, because there are 11 remote vulnerabilities that are both authenticated and unauthenticated, these can be chained together to gain root access to the server.


What are the CVSS assignments?

There are none at this time.


What Else is Possibly Affected?

Cloud services, hypervisors (VMware, VirtualBox,etc.), and standalone enterprise systems, etc. using Linux along with affected versions of Exim are vulnerable to this latest disclosure.


Were There Observed, Active in the Wild Attacks?

No. According to the vendor all vulnerabilities have been responsibly disclosed and there have been no observed in the wild exploitation.


Is this Related to Prior Sandworm Activity (Russia)?

No. However, these vulnerabilities are similar in scope. CVE-2019-10149, disclosed by Qualys on June 5, 2019 is a vulnerability that could lead to remote command execution/injection of an affected server. The vulnerability exists in Exim's mail transport agent (MTA) in versions 4.87 to 4.91. To successfully exploit a system, an attacker will send the targeted server a specially crafted malicious email that when run will allow the attacker root access to the machine.


What is the Status of Coverage?

IPS coverage is under analysis and this post will be updated with relevant information once it becomes available.


Any Other Suggested Mitigation?

FortiGuard Labs recommends that organizations apply the latest updates for affected software from vendors affected by this latest disclosure as soon as possible; if upgrading to the latest version (4.94.2) is not feasible.


Also, for cloud services that are not managed, an organization will need to consider either upgrading or disallowing remote connections externally to affected mail server(s) if possible, until an upgrade to the latest version is performed.