There are several unpatched and exploitable vulnerabilities in Exim -- a commonly used message transfer agent (MTA) software for Unix-based systems that comes pre-installed in many Linux distributions.
And it's taken over half-a-year to get a fix lined up since they were reported to the open source community's maintainers -- despite previous active exploitation by Russian APTs of earlier Exim bugs.
That's according to a note to the Exim users and maintainer's mailing list sent April 21, which acknowledges receipt of a vulnerability disclosure by US-based security firm Qualys back in October 2020.
(There are currently 347,635 visible Exim servers on the internet).
A security release, tagged “exim-4.94.1”. will hit the public repos on May 4, 2021, admin Heiko Schlittermann said, blaming "several internal reasons" for the six-month delay.
Strikingly, not only did Qualys report the bugs but also later provided the patches to the Exim developers, Schlittermann's email reveals.
As he wrote: "The current Exim versions (and likely older versions too) suffer from several exploitable vulnerabilities. These vulnerabilities were reported by Qualys via security[at]exim.org back in October 2020.
He added: Due to several internal reasons it took more time than usual for the Exim development team to work on these reported issues in a timely manner.
"We explicitly thank Qualys for reporting and for providing patches for most of the reported vulnerabilities."
The email comes after previous critical bugs in Exim were exploited by the GRU Main Center for Special Technologies (GTsST), dubbed "Sandworm". CVE-2019-10149, for example (an RCE vulnerability introduced in Exim version 4.87) allowed an unauthenticated remote attacker to send a specially crafted email that would let them execute commands with root privileges, allowing them to install programs, modify data, and create new accounts.
The Stack could not immediately confirm how many bugs there were, CVEs or CVSS scores. We'll follow up with more detail. Watch out for exim-4.94.1 meanwhile and update pronto.