A critical flaw in Exim’s mail transfer agent (MTA) software has been discovered, and shockingly, it remained unpatched for more than a year, potentially leaving over a million servers exposed to vulnerabilities.
This security concern came to light thanks to the diligent efforts of researchers from Trend Micro’s Zero Day Initiative. They were alerted to the issue in June of the previous year by an anonymous researcher who had identified an out-of-bounds write weakness within the SMTP service, as reported by BleepingComputer.
Exim, an MTA running in the background of email servers, could potentially become a conduit for hackers to execute malware on susceptible endpoints, raising significant concerns for server administrators.
The vulnerability in question is officially documented as CVE-2023-42115 and has the potential to not only crash software and corrupt critical data but, more alarmingly, allow malicious code to run on exposed servers.
Curiously, Exim was first notified about this vulnerability in June 2022, and a follow-up notification was sent in May 2023. Unfortunately, these alerts did not yield the anticipated response from Exim in the form of a patch. Consequently, Trend Micro’s Zero Day Initiative has taken the unusual step of publicly disclosing the flaw, accompanied by a detailed account of their correspondence with Exim over the course of several months.
According to BleepingComputer, MTA servers like Exim have long been a favored target for hackers due to their remote accessibility, serving as a potential gateway to infiltrate wider corporate networks. Exim, notably labeled as the “world’s most popular MTA software,” is installed on a staggering 56% of internet-connected mail servers, translating to approximately 342,000 servers. Its widespread usage is partly attributable to its inclusion in popular Linux distributions like Debian and Red Hat.
This isn’t the first time Exim has faced security concerns. Three years ago, the NSA issued a warning about the exploitation of an Exim vulnerability by Sandworm, a Russian state-sponsored threat actor. The NSA cautioned that this exploit allowed privileged user additions, network security settings manipulation, and the execution of additional scripts for further network exploitation, effectively granting attackers significant control over unpatched Exim MTA installations.
The pressing concern now is to promptly address this vulnerability to prevent potential exploitation by malicious actors. Server administrators are strongly encouraged to take necessary precautions to secure their Exim installations and monitor official security updates closely.
It’s essential to stay vigilant against emerging threats and promptly apply security patches when available to protect the integrity of email server infrastructure.
