The Stack

Millions likely exposed to 21 new bugs in Exim: ’21Nails’ vulns give RCE, root

Millions of servers globally are exposed to 21 new bugs in Exim — a widely used mail server — with several of the vulns able, when chained, to give an attacker full remote code execution (RCE) as an all-powerful root user.

As The Stack first reported, April 22, “several” newly identified bugs had been reported to the open source Exim community in Autumn 2020, but patching delayed owing to “several internal reasons” as one maintainer put it.

Now further details have emerged, with security firm Qualys highlighting its discovery of 21 unique vulnerabilities in the widely used mail server; 10 of which can be exploited remotely to gain root privileges.

Most of the vulnerabilities in the EXIM/Qualys advisory are memory corruptions, and — as the company notes — despite modern protections such as ASLR, NX, and malloc hardening, memory corruptions in Exim are easy to exploit. (The company also furnished the community with 26 patches during its engagement.)

While no POC is being revealed, some prompt patch reverse engineering should reveal an attack path pretty sharply and there are hints in the detailed advisory, so users would be advised to patch fast.

New EXIM bugs: All versions before Exim-4.94.1 are vulnerable.

The vast majority of the new Exim bugs discovered by the Qualys Research Team affect all versions of Exim back to the start of its Git history 17 years ago; i.e. all versions before Exim-4.94.1 are vulnerable.

A Shodan search suggests that there are 3.8 million Exim servers exposed to the internet globally; two million of them in the US, and given the breadth of the attack surface for this vulnerability, users should patch fast.

(For what it is worth, the company says it has successfully exploited three RCEs and four Local Privilege Escalations bugs. It hasn’t tried to exploit the others.)

The disclosure comes after previous critical bugs in Exim were actively exploited by Russian hackers from the GRU Main Center for Special Technologies (GTsST) — the APT dubbed “Sandworm”.

Qualys is offering an integrated vulnerability management and detection service free for 30 days to identify vulnerable assets.

New Exim bugs: The CVEs.

Remote vulnerabilities:

Local vulnerabilities

(Details of each from Qualys here).

Follow The Stack on LinkedIn

Exit mobile version