A series of critical vulnerabilities were recently disclosed to reside in the popular internet mailer, Exim. The vulnerabilities, collectively termed as 21Nails, were brought to light by researchers at Qualys. The advisory includes 21 vulnerabilities, some of which can be used to gain elevated privileges on the affected systems and perform remote code execution.
Exim is a free mail transfer agent for UNIX-like operating systems. At the time of writing, a survey Exim is reported to have been used by more than half of the world’s internet servers.
Vulnerability Details
Out of the 21 security bugs, 11 flaws were found to be locally exploitable, while 10 of them could be exploited remotely. The table below summarises the list of vulnerabilities.
| CVE | Summary | Type |
|---|---|---|
| CVE-2020-28007 | Link attack in Exim’s log directory | Local |
| CVE-2020-28008 | Assorted attacks in Exim’s spool directory | Local |
| CVE-2020-28014 | Arbitrary file creation and clobbering | Local |
| CVE-2021-27216 | Arbitrary file deletion | Local |
| CVE-2020-28011 | Heap buffer overflow in queue_run() | Local |
| CVE-2020-28010 | Heap out-of-bounds write in main() | Local |
| CVE-2020-28013 | Heap buffer overflow in parse_fix_phrase() | Local |
| CVE-2020-28016 | Heap out-of-bounds write in parse_fix_phrase() | Local |
| CVE-2020-28015 | New-line injection into spool header file (local) | Local |
| CVE-2020-28012 | Missing close-on-exec flag for privileged pipe | Local |
| CVE-2020-28009 | Integer overflow in get_stdinput() | Local |
| CVE-2020-28017 | Integer overflow in receive_add_recipient() | Remote |
| CVE-2020-28020 | Integer overflow in receive_msg() | Remote |
| CVE-2020-28023 | Out-of-bounds read in smtp_setup_msg() | Remote |
| CVE-2020-28021 | New-line injection into spool header file (remote) | Remote |
| CVE-2020-28022 | Heap out-of-bounds read and write in extract_option() | Remote |
| CVE-2020-28026 | Line truncation and injection in spool_read_header() | Remote |
| CVE-2020-28019 | Failure to reset function pointer after BDAT error | Remote |
| CVE-2020-28024 | Heap buffer underflow in smtp_ungetc() | Remote |
| CVE-2020-28018 | Use-after-free in tls-openssl.c | Remote |
| CVE-2020-28025 | Heap out-of-bounds read in pdkim_finish_bodyhash() | Remote |
While the researchers stated that they have not tried exploiting all the vulnerabilities, they did exploit 4 Local Privilege Elevation flaws and 3 Remote Code Execution flaws. They also have published proofs-of-concept for 11 of the flaws.
Impact
An unauthenticated attacker could obtain full root privileges. Some of the vulnerabilities can also be leveraged in conjunction with others to perform remote code execution. About 4 million Exim servers are estimated to be exposed to the internet.
Affected Products
All versions of Exim before 4.94.2 are reported to be vulnerable.
Solution
The vendor has released the security updates addressing the issue in Exim version 4.94.2.
SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. Use SanerNow to keep your systems updated and secure.