Critical and high severity Exim vulnerabilities: everything you need to know
Detect and mitigate CVE-2023-42115, and 5 more vulnerabilities in Exim. Organizations using affected configurations should mitigate and patch the vulnerabilities urgently.
Multiple vulnerabilities were publicly disclosed by the Zero Day Initiative (ZDI) in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with “External” authentication enabled. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer. The recommendation is to update Exim to patched versions, or if not possible, restrict remote access to Exim mail servers if you have “External” authentication enabled, or to switch to a different authentication method.
What is CVE-2023-42115?
Exim is a very prevalent mail server, due in part to being the default MTA preinstalled on Debian and other Linux distributions. According to the recently published Mail Server Survey, Exim is the world’s most popular MTA software. As MTA servers are often accessible via the Internet, they are likely to serve as an initial access vector for attackers.
CVE-2023-42115 allows unauthenticated remote attackers to execute arbitrary code on affected installations of Exim, which runs over the SMTP service – exposed on port 25 by default, though ports 26, 587 and 465 are also commonly used. This issue results from improper input validation that leads to an out-of-bounds write found in the SMTP service when “External” authentication is enabled. This results in a write past the end of the buffer. A successful exploitation of this vulnerability could lead to an attacker executing code in the context of the service account.
Since disclosure, security researchers have been exploring Exim’s source code to find the relevant vulnerabilities, with some claiming success. Therefore, we expect exploitation in the wild to be observed shortly.
Besides CVE-2023-42115 which is critical, CVE-2023-42116, CVE-2023-42117 and CVE-2023-42118 are high severity vulnerabilities that also allow remote code execution under certain conditions, while CVE-2023-42114 and CVE-2023-42119 are low severity and only allow limited information disclosure. In all cases, these vulnerabilities require specific features to be enabled in order to be exploitable.
CVE
CVSS
Requirements for exploitation
CVE-2023-42115
9.8
“External” authentication scheme configured and available
CVE-2023-42116
8.1
“SPA” module (used for NTLM auth) configured and available
CVE-2023-42117
8.1
Exim Proxy (different to a SOCKS or HTTP proxy) in use with untrusted proxy server
CVE-2023-42118
7.5
“SPF” condition used in an ACL
CVE-2023-42114
3.7
“SPA” module (used for NTLM auth) configured to authenticate the Exim server to an upstream server
CVE-2023-42119
3.1
An untrusted DNS resolver
Wiz Research data: what’s the risk to cloud environments?
According to Wiz data, 23% percent of cloud environments have at least one instance of Exim, but we estimate that less than 5% of environments have publicly exposed Exim servers that might be at risk of exploitation.
Which products are affected?
Not all of the vulnerabilities have received patches yet.
CVE
Patched version
Workaround
CVE-2023-42114
Fixed in versions 4.96.1 and 4.97.
Disable SPA (NTLM) authentication
CVE-2023-42115
Fixed in versions 4.96.1 and 4.97.
Disable EXTERNAL authentication.
CVE-2023-42116
Fixed in versions 4.96.1 and 4.97.
Do not use SPA (NTLM) authentication
CVE-2023-42117
No fix available – all versions are assumed to be affected
Do not use Exim behind an untrusted proxy-protocol proxy
CVE-2023-42118
No fix available – all versions are assumed to be affected
Do not use the spf condition in your ACL
CVE-2023-42219
No fix available – all versions are assumed to be affected
Use a trustworthy DNS resolver which is able to validate the data according to the DNS record types.
Which actions should security teams take?
Organizations should upgrade Exim instances to a patched version or apply the workarounds listed above. If you are confident that you aren’t using any of the features required for exploitation, you can deprioritize patching for now.
To determine whether you’re using “External” authentication, run the following command to locate your configuration file. If it includes driver = external, you should consider switching to a different authentication method or limiting remote access to the server altogether:
exim4 -bP configure_file
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for all vulnerable instances in their environment, or limit results to instances publicly exposed on common SMTP ports.