0 %

ALERT — New 21Nails Exim Bugs Expose Millions of Email Servers to Hacking

May 5, 2021

The maintainers of Exim have released patches to remediate as many as 21 safety vulnerabilities in its software program that might allow unauthenticated attackers to attain full distant code execution and acquire root privileges.

Collectively named ’21Nails,’ the failings embrace 11 vulnerabilities that require native entry to the server and 10 different weaknesses that could possibly be exploited remotely. The problems have been found by Qualys and reported to Exim on Oct. 20, 2020.

“Among the vulnerabilities might be chained collectively to acquire a full distant unauthenticated code execution and acquire root privileges on the Exim Server,” Bharat Jogi, senior supervisor at Qualys, stated in public disclosure. “Many of the vulnerabilities found by the Qualys Analysis Staff for e.g. CVE-2020-28017 impacts all variations of Exim going again all the way in which to 2004.”

password auditor

Exim is a well-liked mail switch agent (MTA) used on Unix-like working techniques, with over 60% of the publicly reachable mail servers on the Web operating the software program.

“In line with a latest survey, an estimated 60% of web servers run on Exim. A Shodan search reveals almost 4 million Exim servers are uncovered to the web.”

A fast abstract of the 21 bugs is listed under. If efficiently exploited, they could possibly be used to tweak e-mail settings and even add new accounts on the compromised mail servers. Technical specifics concerning the flaws might be accessed here.

Native vulnerabilities:

  • CVE-2020-28007: Hyperlink assault in Exim’s log listing
  • CVE-2020-28008: Assorted assaults in Exim’s spool listing
  • CVE-2020-28014: Arbitrary file creation and clobbering
  • CVE-2021-27216: Arbitrary file deletion
  • CVE-2020-28011: Heap buffer overflow in queue_run()
  • CVE-2020-28010: Heap out-of-bounds write in predominant()
  • CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
  • CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
  • CVE-2020-28015: New-line injection into spool header file (native)
  • CVE-2020-28012: Lacking close-on-exec flag for privileged pipe
  • CVE-2020-28009: Integer overflow in get_stdinput()

Distant vulnerabilities:

  • CVE-2020-28017: Integer overflow in receive_add_recipient()
  • CVE-2020-28020: Integer overflow in receive_msg()
  • CVE-2020-28023: Out-of-bounds learn in smtp_setup_msg()
  • CVE-2020-28021: New-line injection into spool header file (distant)
  • CVE-2020-28022: Heap out-of-bounds learn and write in extract_option()
  • CVE-2020-28026: Line truncation and injection in spool_read_header()
  • CVE-2020-28019: Failure to reset perform pointer after BDAT error
  • CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
  • CVE-2020-28018: Use-after-free in tls-openssl.c
  • CVE-2020-28025: Heap out-of-bounds learn in pdkim_finish_bodyhash()

In gentle of the latest Microsoft Exchange server hacks, it is crucial the patches are utilized instantly, as e-mail servers have emerged as a profitable goal for espionage campaigns. Previously, flaws in Exim software program have been actively exploited by dangerous actors to mount quite a lot of assaults, together with deploying a Linux worm to put in cryptocurrency miners on affected servers.

Final Could, the U.S. Nationwide Safety Company (NSA) warned that Russian navy operatives, publicly referred to as Sandworm Staff, have been profiting from a distant code execution vulnerability tracked as CVE-2019-10149 (aka The Return of the WIZard) to “add privileged customers, disable community safety settings, execute further scripts for additional community exploitation” no less than since August 2019.

The NSA called it an “attacker’s dream entry.”

“Mail Switch Brokers are fascinating targets for attackers as a result of they’re often accessible over the web,” Jogi stated. “As soon as exploited, they might modify delicate e-mail settings on the mail servers, permit adversaries to create new accounts on the goal mail servers.”

Posted in SecurityTags:
Write a comment