Multiple vulnerabilities were publicly disclosed by the Zero Day Initiative (ZDI) in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with “External” authentication enabled. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer. The recommendation is to update Exim to patched versions, or if not possible, restrict remote access to Exim mail servers if you have “External” authentication enabled, or to switch to a different authentication method.
What is CVE-2023-42115?
Exim is a very prevalent mail server, due in part to being the default MTA preinstalled on Debian and other Linux distributions. According to the recently published Mail Server Survey, Exim is the world’s most popular MTA software. As MTA servers are often accessible via the Internet, they are likely to serve as an initial access vector for attackers.
CVE-2023-42115 allows unauthenticated remote attackers to execute arbitrary code on affected installations of Exim, which runs over the SMTP service – exposed on port 25 by default, though ports 26, 587 and 465 are also commonly used. This issue results from improper input validation that leads to an out-of-bounds write found in the SMTP service when “External” authentication is enabled. This results in a write past the end of the buffer. A successful exploitation of this vulnerability could lead to an attacker executing code in the context of the service account.
Since disclosure, security researchers have been exploring Exim’s source code to find the relevant vulnerabilities, with some claiming success. Therefore, we expect exploitation in the wild to be observed shortly.
Besides CVE-2023-42115 which is critical, CVE-2023-42116, CVE-2023-42117 and CVE-2023-42118 are high severity vulnerabilities that also allow remote code execution under certain conditions, while CVE-2023-42114 and CVE-2023-42119 are low severity and only allow limited information disclosure. In all cases, these vulnerabilities require specific features to be enabled in order to be exploitable.
| CVE | CVSS | Requirements for exploitation |
|---|---|---|
| CVE-2023-42115 | 9.8 | “External” authentication scheme configured and available |
| CVE-2023-42116 | 8.1 | “SPA” module (used for NTLM auth) configured and available |
| CVE-2023-42117 | 8.1 | Exim Proxy (different to a SOCKS or HTTP proxy) in use with untrusted proxy server |
| CVE-2023-42118 | 7.5 | “SPF” condition used in an ACL |
| CVE-2023-42114 | 3.7 | “SPA” module (used for NTLM auth) configured to authenticate the Exim server to an upstream server |
| CVE-2023-42119 | 3.1 | An untrusted DNS resolver |
Wiz Research data: what’s the risk to cloud environments?
According to Wiz data, 23% percent of cloud environments have at least one instance of Exim, but we estimate that less than 5% of environments have publicly exposed Exim servers that might be at risk of exploitation.
Which products are affected?
Not all of the vulnerabilities have received patches yet.
| CVE | Patched version | Workaround |
|---|---|---|
| CVE-2023-42114 | Fixed in versions 4.96.1 and 4.97. | Disable SPA (NTLM) authentication |
| CVE-2023-42115 | Fixed in versions 4.96.1 and 4.97. | Disable EXTERNAL authentication. |
| CVE-2023-42116 | Fixed in versions 4.96.1 and 4.97. | Do not use SPA (NTLM) authentication |
| CVE-2023-42117 | No fix available – all versions are assumed to be affected | Do not use Exim behind an untrusted proxy-protocol proxy |
| CVE-2023-42118 | No fix available – all versions are assumed to be affected | Do not use the spf condition in your ACL |
| CVE-2023-42219 | No fix available – all versions are assumed to be affected | Use a trustworthy DNS resolver which is able to validate the data according to the DNS record types. |
Which actions should security teams take?
Organizations should upgrade Exim instances to a patched version or apply the workarounds listed above. If you are confident that you aren’t using any of the features required for exploitation, you can deprioritize patching for now.
To determine whether you’re using “External” authentication, run the following command to locate your configuration file. If it includes driver = external, you should consider switching to a different authentication method or limiting remote access to the server altogether:
exim4 -bP configure_file
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for all vulnerable instances in their environment, or limit results to instances publicly exposed on common SMTP ports.
