Exim builders have launched patches for 3 of the zero-days disclosed final week via Pattern Micro’s Zero Day Initiative (ZDI), certainly one of them permitting unauthenticated attackers to achieve distant code execution.
Found by an nameless safety researcher, the safety flaw (CVE-2023-42115) is because of an Out-of-bounds Write weak spot discovered within the SMTP service and will be exploited by distant unauthenticated attackers to execute code within the context of the service account.
“The precise flaw exists throughout the smtp service, which listens on TCP port 25 by default. The problem outcomes from the dearth of correct validation of user-supplied knowledge, which may end up in a write previous the top of a buffer,” ZDI’s advisory explains.
“Repair a doable OOB write within the exterior authenticator, which could possibly be triggered by externally-supplied enter,” the Exim growth workforce says within the changelog of model 4.96.1, launched immediately.
At present, the Exim workforce additionally patched an RCE bug (CVE-2023-42114) and an info disclosure vulnerability (CVE-2023-42116).
As Exim developer Heiko Schlittermann revealed on the Open Supply Safety (oss-sec) mailing checklist on Friday, immediately’s fixes had been already “accessible in a protected repository” and “able to be utilized by the distribution maintainers.”
The checklist of zero-day vulnerabilities that stay to be mounted consists of:
Not “a world-ending disaster”
Whereas tagged with a 9.8/10 severity rating by the ZDI workforce, Exim says the profitable exploitation of CVE-2023-42115—essentially the most extreme of the six zero-days disclosed by ZDI final week—depends on the usage of exterior authentication on the focused servers.
Regardless that 3.5 million Exim servers are uncovered on-line, in response to Shodan, this requirement drastically reduces the variety of Exim mail servers doubtlessly weak to assaults.
An evaluation of the six zero-days by watchTowr Labs confirms Exim’s tackle the severity of those zero-days as they “require a really particular atmosphere to be accessible.”
watchTowr Labs additionally supplied an inventory of all configuration necessities on weak Exim servers wanted for profitable exploitation:
| CVE | CVSS | Necessities |
| CVE-2023-42115 | 9.8 | “Exterior” authentication scheme configured and accessible |
| CVE-2023-42116 | 8.1 | “SPA” module (used for NTLM auth) configured and accessible |
| CVE-2023-42117 | 8.1 | Exim Proxy (totally different to a SOCKS or HTTP proxy) in use with untrusted proxy server |
| CVE-2023-42118 | 7.5 | “SPF” situation utilized in an ACL |
| CVE-2023-42114 | 3.7 | “SPA” module (used for NTLM auth) configured to auth the Exim server to an upstream server |
| CVE-2023-42119 | 3.1 | An untrusted DNS resolver |
“Most of us needn’t fear. In the event you’re one of many unfortunate ones who makes use of one of many listed options although, you will be eager to get extra info earlier than enterprise ZDI’s recommendation to ‘limit interplay with the appliance’,” watchTowr researcher Aliz Hammond mentioned.
“So, our recommendation is the standard – patch when you may, as soon as patches can be found [..] However within the meantime, do not panic – this one is extra of a moist squib than a world-ending disaster.”
