Security News > 2021 > May > Raft of Exim Security Holes Allow Linux Mail Server Takeovers
A veritable cornucopia of security vulnerabilities in the Exim mail server have been uncovered, some of which could be chained together for unauthenticated remote code execution, gaining root privileges and worm-style lateral movement, according to researchers.
"Exim Mail Servers are used so widely and handle such a large volume of the internet's traffic that they are often a key target for hackers," Jogi said, noting that last year, a vulnerability in Exim was a target of the Russian advanced persistent threat known as Sandworm.
He added, "The 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system - allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts and change sensitive settings on the mail servers. It's imperative that users apply patches immediately."
Either of these vulnerabilities can be used by unauthenticated attackers to gain initial access as an "Exim" user on the mail server.
The Exim binary is set-user-ID-root, and Exim operates as root in its log directory, which belongs to the "Exim" user.
This vulnerability is particularly problematic for ISPs and mail providers that deploy Exim and offer mail accounts but not shell accounts, researchers added; and, it can be chained with an authentication bypass such as CVE-2020-12783, discovered by Orange Tsai in May 2020, for a full RCE-plus-LPE attack.
News URL
https://threatpost.com/exim-security-linux-mail-server-takeovers/165894/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-05-11 | CVE-2020-12783 | Out-of-bounds Read vulnerability in multiple products Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c. | 7.5 |