CVE-2023-42115: Critical Exim Bug Exposes Email Servers to Remote Attacks

In the constantly shifting sands of the digital realm, Exim stands tall as a veritable giant. As an open-source mail transfer agent (MTA) devised for Unix-inspired operating systems such as Linux, Mac OSX, and Solaris, it’s no exaggeration to say that Exim is the lifeline of the Internet’s email communications, powering nearly 60% of the web’s email servers. This colossal duty involves routing, delivering, and receiving countless email messages every day.

However, recent security vulnerabilities discovered in Exim could allow attackers to compromise Exim systems and gain access to sensitive data, including email messages. Six of the most critical vulnerabilities discovered in Exim are CVE-2023-42119, CVE-2023-42118, CVE-2023-42117, CVE-2023-42116, CVE-2023-42115, and CVE-2023-42114.

CVE-2023-42119 (ZDI-23-1473): Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability

With a CVSS score of 3.1, this vulnerability might seem innocuous but looks can be deceiving. It grants network-adjacent malefactors the potential to unveil sensitive information on Exim installations. The flaw, located in the smtp service that listens on TCP port 25, stems from inadequate validation of user-provided data, allowing reads beyond allocated buffers. Cunning adversaries can manipulate this alongside other vulnerabilities to execute arbitrary codes.

Mitigation: Use a trustworthy DNS resolver which is able to validate the data according to the DNS record types.

Fix: not yet

Remark: It is still under consideration.

CVE-2023-42118 (ZDI-23-1472): Exim libspf2 Integer Underflow Remote Code Execution Vulnerability

Delving deeper, the CVE-2023-42118 vulnerability, scoring 7.5, offers a window for attackers to inject arbitrary code into Exim’s libspf2. Here, the crux of the problem lies in the parsing of SPF macros. Improper validation procedures can induce an integer underflow, subsequently paving the way for unauthorized code execution.

Mitigation: Do not use the `spf` condition in your ACL

Remark: It is debatable if this should be filed against libspf2.

CVE-2023-42117 (ZDI-23-1471): Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability

Elevating the stakes with a score of 8.1, this vulnerability serves as a harbinger of potential chaos. Once again, the smtp service becomes the focal point of this flaw. Inadequate validation procedures can give rise to memory corruption scenarios, enabling remote adversaries to execute codes and jeopardize processes.

Mitigation: Do not use Exim behind an untrusted proxy-protocol proxy

Fix: not yet

CVE-2023-42116 (ZDI-23-1470): Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability

Yet another alarming vulnerability, the CVE-2023-42116, opens up avenues for malevolent entities to thrust arbitrary code into Exim. This flaw, nestled within the treatment of NTLM challenge requests, emerges due to insufficient validation of user data length, leading to potential buffer overflow scenarios.

Mitigation: Do not use SPA (NTLM) authentication

Fixed: e17b8b0f1, 4.96.1, 4.97

CVE-2023-42115 (ZDI-23-1469): Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability

Touted with a towering CVSS score of 9.8, this vulnerability unveils a gateway for remote attackers to embed arbitrary codes. The flaw, deeply embedded within the smtp service, originates from the subpar validation of user data, fostering writes beyond buffer limits.

Mitigation: Do not offer EXTERNAL authentication.

Fixed: 7bb5bc2c6, 4.96.1, 4.97

CVE-2023-42114 (ZDI-23-1468): Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability

With a score of 3.7, this vulnerability, though on the milder side, can’t be dismissed lightly. It enables malicious actors to disclose classified information. The crux of this flaw lies in the handling of NTLM challenge requests and the potential reads beyond allocated data structures.

The vulnerabilities, painstakingly unearthed by an anonymous researcher through the Zero Day Initiative program, serve as a stern reminder of the incessant battle in the realm of cybersecurity. If you are using Exim, it is important to update to the latest version of the software as soon as they are available to mitigate these security vulnerabilities.

Mitigation: Do not use SPA (NTLM) authentication

Fixed: 04107e98d, 4.96.1, 4.97

Update:

Exim developers have issued a security advisory for these flaws:

“None of these issues is related to transport security (TLS) being on or off.

* 3 of them are related to SPA/NTLM, and EXTERNAL auth. If you do not use SPA/NTLM, or EXTERNAL authentication, you’re not affected. These issues are fixed.

* One issue is related to data received from a proxy-protocol proxy. If you do not use a proxy in front of Exim, you’re not affected. If your proxy is trustworthy, you’re not affected. We’re working on a fix.

* One is related to libspf2. If you do not use the `spf` lookup type or the `spf` ACL condition, you are not affected.

* The last one is related to DNS lookups. If you use a trustworthy resolver (which does validation of the data it receives), you’re not affected. We’re working on a fix.”