CVE-2023-42115 exim

Exim has multiple critical vulnerabilities, including CVE-2023-4863, that allow attackers to run code on affected systems without authentication.

Multiple vulnerabilities, one of them critical, have been revealed that affect the Exim software solution. Among the different consequences that could result from the exploitation of these vulnerabilities are remote code execution and the disclosure of sensitive information. The most critical is CVE-2023-42115, which allows remote execution over the network without authentication.

Exim is a message transfer agent (MTA) developed by the University of Cambridge for use on Unix systems connected to the internet. It is an open-source software widely used as an alternative to Sendmail. It is the default MTA in Debian distributions and the most popular on the internet according to the MX Mail Server Survey, published by SecuritySpace in 2019, with a 57% installation rate.

It is worth noting that all the vulnerabilities were reported to the Exim project maintainers by ZDI in June 2022. Given the inactivity in the creation of security patches, Zero Day Initiative decided to publish the different advisories as 0-day vulnerabilities. For this reason, these vulnerabilities already have their CVE identifiers assigned.

Key features

  • Publication date:  27/09/2023 
  • Affected software: Exim  
  • Affected versions: All supported versions, from 4.0 to 4.96. 
CVE CVSS and description
CVE-2023-42115 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Remote code execution from a write past the end of a buffer while handling AUTH commands.
CVE-2023-42117 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Remote code execution from an improper neutralization of special elements, producing a memory corruption condition.
CVE-2023-42116 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Remote code execution from a stack-based buffer overflow while handling NTLM challenge requests.
CVE-2023-42118 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Remote code execution affecting the Exim library libspf2, while processing SPF macros, which does not properly validate an integer.
CVE-2023-42114 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Information disclosure while reading ouf-of-bounds from a data structure while handling NTLM challenge requests.
CVE-2023-42119 3.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Information disclosure of dnsdb while reading out-of-bounds from the buffer.

The most critical vulnerability is CVE-2023-42115, which affects the SMTP service. It is an out-of-bounds write when handling AUTH commands. It is the consequence of incorrect input data validation. This vulnerability can be exploited without requiring authentication with the goal of executing code under the context of the account with which the service is running.

exim vulnerability CVE

As of September 30, 2023, no further technical details, nor public exploits related to the different vulnerabilities have been released. Also, there is no evidence that they are being actively exploited at this time. However, it is to be expected that this situation will change over the days.

Mitigating Exim vulnerabilities and CVE-2023-42115

Currently, there is no patch or update for Exim, so it is not possible to keep the service running without exposing it to the exploitation of the vulnerabilities.

exim software logo

The only strategy to partially reduce exposure to exploitation is to configure a firewall solution to limit connections to this service.

The organization that develops Exim has not published any official statement with information, as it has done in other occasions in its security section.

Recomendations

The following recommendations are made to reduce the exposure to exploitation of the vulnerabilities described in this document:

  • If possible, stop the Exim service until a patch or update is available. 
  • If it is not possible to stop the service, implement a firewall to limit connections to the SMTP service to trusted IP addresses only. 
  • Monitor logs for suspicious activity, such as failed authentication attempts or unexpected connections from unusual IP addresses. 
  • Apply security patches to Exim as soon as they are available. 

Tarlogic recommends that all organizations with Exim servers take immediate action to mitigate the risk of exploitation of these vulnerabilities.

Detecting Exim vulnerabilities

Currently, no exploits or proof-of-concept have been published for the different vulnerabilities. Despite this, given that all instances of Exim are affected, it is enough to identify the software to confirm its affectation.

As part of its emerging vulnerability service, Tarlogic proactively monitors its clients’ perimeters to inform, detect, and urgently notify of the presence of this vulnerability, as well as other critical threats that could cause a serious impact on the security of their assets.

References:

  • https://www.exim.org
  • https://www.exim.org/static/doc/security/
  • http://www.securityspace.com/s_survey/data/man.201905/mxsurvey.html  
  • https://www.cybersecurity-help.cz/vdb/SB2023092821
  • https://thehackernews.com/2023/09/new-critical-security-flaws-expose-exim.html
  • https://www.zerodayinitiative.com/advisories/published/