Skip to content

Search the site

Millions likely exposed to 21 new bugs in Exim: '21Nails' vulns give RCE, root

Millions of servers globally are exposed to 21 new bugs in Exim -- a widely used mail server -- with several of the vulns able, when chained, to give an attacker full remote code execution (RCE) as an all-powerful root user.

As The Stack first reported, April 22, "several" newly identified bugs had been reported to the open source Exim community in Autumn 2020, but patching delayed owing to "several internal reasons" as one maintainer put it.

Now further details have emerged, with security firm Qualys highlighting its discovery of 21 unique vulnerabilities in the widely used mail server; 10 of which can be exploited remotely to gain root privileges.

Most of the vulnerabilities in the EXIM/Qualys advisory are memory corruptions, and -- as the company notes --  despite modern protections such as ASLR, NX, and malloc hardening, memory corruptions in Exim are easy to exploit. (The company also furnished the community with 26 patches during its engagement.)

While no POC is being revealed, some prompt patch reverse engineering should reveal an attack path pretty sharply and there are hints in the detailed advisory, so users would be advised to patch fast.

New EXIM bugs: All versions before Exim-4.94.1 are vulnerable.

The vast majority of the new Exim bugs discovered by the Qualys Research Team affect all versions of Exim back to the start of its Git history 17 years ago; i.e. all versions before Exim-4.94.1 are vulnerable.

A Shodan search suggests that there are 3.8 million Exim servers exposed to the internet globally; two million of them in the US, and given the breadth of the attack surface for this vulnerability, users should patch fast.

(For what it is worth, the company says it has successfully exploited three RCEs and four Local Privilege Escalations bugs. It hasn't tried to exploit the others.)

The disclosure comes after previous critical bugs in Exim were actively exploited by Russian hackers from the GRU Main Center for Special Technologies (GTsST) -- the APT dubbed “Sandworm”.

Qualys is offering an integrated vulnerability management and detection service free for 30 days to identify vulnerable assets.

New Exim bugs: The CVEs.

Remote vulnerabilities:

  • CVE-2020-28017: Integer overflow in receive_add_recipient()
  • CVE-2020-28020: Integer overflow in receive_msg()
  • CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
  • CVE-2020-28021: New-line injection into spool header file (remote)
  • CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
  • CVE-2020-28026: Line truncation and injection in spool_read_header()
  • CVE-2020-28019: Failure to reset function pointer after BDAT error
  • CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
  • CVE-2020-28018: Use-after-free in tls-openssl
  • CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

Local vulnerabilities

  • CVE-2020-28007: Link attack in Exim's log directory
  • CVE-2020-28008: Assorted attacks in Exim's spool directory
  • CVE-2020-28014: Arbitrary file creation and clobbering
  • CVE-2021-27216: Arbitrary file deletion
  • CVE-2020-28011: Heap buffer overflow in queue_run
  • CVE-2020-28010: Heap out-of-bounds write in main
  • CVE-2020-28013: Heap buffer overflow in parse_fix_phrase
  • CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase
  • CVE-2020-28015: New-line injection into spool header file
  • CVE-2020-28012: Missing close-on-exec flag for privileged pipe
  • CVE-2020-28009: Integer overflow in get_stdinput

(Details of each from Qualys here).

Follow The Stack on LinkedIn