On September 27th, Trend Micro’s Zero Day Initiative (ZDI) published details of a critical zero-day vulnerability that allows an unauthenticated attacker the ability to remotely execute arbitrary code within the context of an Exim SMTP service account.
In addition, ZDI disclosed five additional zero-day vulnerabilities with lower severity rankings:
- CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVSS v3.0 8.1)
- CVE-2023-42117: Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability (CVSS v3.0 8.1)
- CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability (CVSS v3.0 7.5)
- CVE-2023-42119: Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.1)
- CVE-2023-42114: Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.7)
What is Exim Mail?
Exim mail is an open source, message transfer agent (MTA) that runs on Unix/Linux operating systems. Exim is also the default MTA configured on Debian Linux distributions.
Are updates available?
Recently, maintainers of the Exim mail server issued a 4.96.1 patch that appears to resolve four of the six vulnerabilities listed above. Although the maintainers are still working to resolve the remaining vulnerabilities,
if you are running Exim mail servers on your network, you should apply the security patch immediately.
How do I find potentially vulnerable Exim mail servers with runZero?
A Shodan search showed nearly 3.5 million Exim servers exposed to the internet. Their accessibility makes these mail transfer agents targets for attackers.
With runZero, you can find Exim mail servers in your inventory with this pre-built query. This query searches for any live asset that has the exim product exposed over SMTP.
product:exim
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
