Threat Signal Report

21Nails - 21 New Vulnerabilities Disclosed Affecting Exim MTA


FortiGuard Labs is aware of recently disclosed vulnerabilities in the Exim MTA (Mail Transfer Agent). Disclosed by security researchers at Qualys, 21 vulnerabilities were discovered affecting Exim. Exim MTA is one of the most widely used mail transfer agents online, with an estimated 60% of internet servers using Exim. The vulnerabilities are collectively known as "21Nails" and contain a variety of authenticated/unauthenticated, local/remote and privilege escalation vulnerabilities. Attackers can leverage these vulnerabilities to gain root access to the targeted server.

What are the Vulnerabiilities?

There are 21 vulnerabilities. 11 are local vulnerabilities and 10 are remote.

They are:

Local vulnerabilities

CVE-2020-28007: Link attack in Exim's log directory

CVE-2020-28008: Assorted attacks in Exim's spool directory

CVE-2020-28014: Arbitrary file creation and clobbering

CVE-2021-27216: Arbitrary file deletion

CVE-2020-28011: Heap buffer overflow in queue_run()

CVE-2020-28010: Heap out-of-bounds write in main()

CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()

CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()

CVE-2020-28015: New-line injection into spool header file (local)

CVE-2020-28012: Missing close-on-exec flag for privileged pipe

CVE-2020-28009: Integer overflow in get_stdinput()

Remote vulnerabilities

CVE-2020-28017: Integer overflow in receive_add_recipient()

CVE-2020-28020: Integer overflow in receive_msg()

CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()

CVE-2020-28021: New-line injection into spool header file (remote)

CVE-2020-28022: Heap out-of-bounds read and write in extract_option()

CVE-2020-28026: Line truncation and injection in spool_read_header()

CVE-2020-28019: Failure to reset function pointer after BDAT error

CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

CVE-2020-28018: Use-after-free in tls-openssl.c

CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

What Operating Systems are Affected?

Exim versions older than versions 4.94.2 are affected.

All Linux systems running Exim installations older than 4.94.2 are affected. Regarding Linux machines, it is recommended that administrators visit their respective Linux vendor homepage for further guidance, as some Linux vendor will backport security updates to older versions. Some Linus vendors may just apply updates in older versions of the software without the need for a full upgrade.

Has the Vendor Issued a Patch?

Yes. It is recommended that organizations running the affected software update to the latest version (4.94.2) immediately.

How Serious is this Threat?

HIGH. Many MTA servers are internet facing and are an attractive vector for threat actors. Also, because there are 11 remote vulnerabilities that are both authenticated and unauthenticated, these can be chained together to gain root access to the server.

What are the CVSS assignments?

There are none at this time.

What Else is Possibly Affected?

Cloud services, hypervisors (VMware, VirtualBox,etc.), and standalone enterprise systems, etc. using Linux along with affected versions of Exim are vulnerable to this latest disclosure.

Were There Observed, Active in the Wild Attacks?

No. According to the vendor all vulnerabilities have been responsibly disclosed and there have been no observed in the wild exploitation.

Is this Related to Prior Sandworm Activity (Russia)?

No. However, these vulnerabilities are similar in scope. CVE-2019-10149, disclosed by Qualys on June 5, 2019 is a vulnerability that could lead to remote command execution/injection of an affected server. The vulnerability exists in Exim's mail transport agent (MTA) in versions 4.87 to 4.91. To successfully exploit a system, an attacker will send the targeted server a specially crafted malicious email that when run will allow the attacker root access to the machine.

What is the Status of Coverage?

IPS coverage is under analysis and this post will be updated with relevant information once it becomes available.

Any Other Suggested Mitigation?

FortiGuard Labs recommends that organizations apply the latest updates for affected software from vendors affected by this latest disclosure as soon as possible; if upgrading to the latest version (4.94.2) is not feasible.

Also, for cloud services that are not managed, an organization will need to consider either upgrading or disallowing remote connections externally to affected mail server(s) if possible, until an upgrade to the latest version is performed.


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.