Security News > 2023 > October > Critical zero-days in Exim revealed, only 3 have been fixed
Six zero-days in Exim, the most widely used mail transfer agent, have been revealed by Trend Micro's Zero Day Initiative last Wednesday.
Due to what seems to be insufficient information and poor communication, fixes for only three of them have been included in Exim v4.96.1, a security release made available today.
The popularity of Exim is not surprising: it's free, efficient, highly configurable, regularly updated, and often probed for vulnerabilities by security researchers.
CVE-2023-42115, along with CVE-2023-42116 and CVE-2023-42114 have been fixed in Exim v4.96.1 and the latest v4.97 release candidates.
Exim project team member Heiko Schlittermann has also provided details and mitigation steps for all six flaws, and confirmed that "None of these issues is related to transport security being on or off".
In the security advisories, the ZDI claims that Exim maintainers have not provided satisfactory feedback on what they were doing to fix the vulnerabilities.
News URL
https://www.helpnetsecurity.com/2023/10/02/critical-zero-days-in-exim/
Related news
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Palo Alto Networks tackles firewall-busting zero-days with critical patches (source)
- Cleo patches critical zero-day exploited in data theft attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-05-03 | CVE-2023-42116 | Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. | 0.0 |
2024-05-03 | CVE-2023-42115 | Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. | 0.0 |
2024-05-03 | CVE-2023-42114 | Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability. | 0.0 |