A severe zero-day vulnerability in all versions of the Exim mail transfer agent (MTA) software has emerged, which can enable unauthenticated attackers to execute remote code on servers exposed to the Internet.

The security issue, labeled as CVE-2023-42115, was identified by an anonymous security researcher and subsequently disclosed via Trend Micro’s Zero Day Initiative (ZDI). The vulnerability arises from an Out-of-bounds Write flaw in the SMTP service. Such flaws can cause software crashes, data corruption, or in some scenarios, be manipulated by attackers for code or command execution on vulnerable servers.

ZDI elaborated in a security advisory that, “The problem is due to insufficient validation of user-provided data, leading to buffer overflow. This flaw can be leveraged by attackers to run code under the service account.”

Although the Exim team was alerted about this vulnerability by ZDI in June 2022, and reminders were sent in May 2023, there was no update regarding the development of a patch. Consequently, ZDI released an advisory on September 27, detailing the zero-day vulnerability and providing a comprehensive timeline of their interactions with the Exim team.

Millions of Servers at Risk

MTA servers, like Exim, are typically vulnerable since they’re frequently available online, making them attractive targets for attackers. Historical data shows that hacking groups have targeted Exim flaws in the past. Significantly, as of early September 2023, Exim is the MTA of choice on Debian Linux distros and is regarded as the world’s most widely used MTA software. Statistics indicate that over 56% of approximately 602,000 mail servers online use Exim, amounting to around 342,000 servers. Shodan search results reveal that nearly 3.5 million Exim servers are currently accessible online, predominantly in the USA, followed by Russia and Germany.

In the absence of an available patch to secure Exim servers against these potential threats, ZDI’s recommendation to administrators is to limit remote access from the Internet.

Additional Zero-Days in Exim

This week, ZDI also reported five other Exim vulnerabilities with varying degrees of severity:

CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow (CVSS v3.0 8.1)
CVE-2023-42117: Exim Special Elements Remote Code Execution (CVSS v3.0 8.1)
CVE-2023-42118: Exim libspf2 Integer Underflow (CVSS v3.0 7.5)
CVE-2023-42119: Exim dnsdb Out-Of-Bounds Read (CVSS v3.0 3.1)
CVE-2023-42114: Exim NTLM Challenge Out-Of-Bounds Read (CVSS v3.0 3.7)
Lastly, Exim developer Heiko Schlittermann has stated that “fixes for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116 are ready and stored in a secure repository, prepared for application by distribution maintainers.