Multiple Vulnerabilities in Exim Mail Transfer Agent

Published on 06 May 2021

Updated on 06 May 2021

Exim has released a security update to address 21 vulnerabilities. The proof of concept exploit codes are publicly available for several of these vulnerabilities.

The vulnerabilities are as follows: 

Vulnerabilities that are only locally exploitable:

  • CVE-2020-28007: Link attack in Exim's log directory
  • CVE-2020-28008: Assorted attacks in Exim's spool directory
  • CVE-2020-28014: Arbitrary process identifier (PID) file creation
  • CVE-2021-27216: Arbitrary file deletion
  • CVE-2020-28011: Heap buffer overflow in queue_run()
  • CVE-2020-28010: Heap out-of-bounds write in main()
  • CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
  • CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
  • CVE-2020-28015: New-line injection into spool header file (local) due to improper neutralisation of line delimiters
  • CVE-2020-28012: Missing close-on-exec flag for privileged pipe allowing arbitrary data to be sent to privileged Exim process running as root
  • CVE-2020-28009: Integer overflow in get_stdinput()

Vulnerabilities that are remotely exploitable:

  • CVE-2020-28017: Integer overflow in receive_add_recipient()
  • CVE-2020-28020: Integer overflow in receive_msg()
  • CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
  • CVE-2020-28021: New-line injection into spool header file (remote) due to improper neutralisation of line delimiters
  • CVE-2020-28022: Heap out-of-bounds read and write in extract_option() due to improper restriction of operations within the bounds of a memory buffer
  • CVE-2020-28026: Line truncation and injection in spool_read_header() due to improper neutralisation of line delimiters
  • CVE-2020-28019: Failure to reset function pointer after BDAT error due to improper initialisation
  • CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
  • CVE-2020-28018: Use-after-free (UAF) in tls-openssl.c
  • CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Many of these vulnerabilities were present since the Exim MTA software was first published in 2004. Some of them can be chained together to obtain full unauthenticated remote code execution and gain root privileges on the Exim server. When successfully exploited, an attacker with root privileges can modify email settings, install programmes, create new email accounts on compromised servers, etc.

Administrators of Exim MTA software are advised to upgrade to the latest product version (v4.94.2) immediately. 

More information is available at:

http://exim.org/static/doc/security/CVE-2020-qualys/

https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server