CVE-2023-42115: Vulnerabilities without security patch in Exim
Exim has multiple critical vulnerabilities, including CVE-2023-4863, that allow attackers to run code on affected systems without authentication.
Multiple vulnerabilities, one of them critical, have been revealed that affect the Exim software solution. Among the different consequences that could result from the exploitation of these vulnerabilities are remote code execution and the disclosure of sensitive information. The most critical is CVE-2023-42115, which allows remote execution over the network without authentication.
Exim is a message transfer agent (MTA) developed by the University of Cambridge for use on Unix systems connected to the internet. It is an open-source software widely used as an alternative to Sendmail. It is the default MTA in Debian distributions and the most popular on the internet according to the MX Mail Server Survey, published by SecuritySpace in 2019, with a 57% installation rate.
It is worth noting that all the vulnerabilities were reported to the Exim project maintainers by ZDI in June 2022. Given the inactivity in the creation of security patches, Zero Day Initiative decided to publish the different advisories as 0-day vulnerabilities. For this reason, these vulnerabilities already have their CVE identifiers assigned.
Update 10/2/2023: As announced by Exim on the OpenWall security mailing list, a security update for exim-4.96.1 and 4.97 has been created that mitigates the three most critical vulnerabilities (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116) and will be available throughout the day today.
Key features
- Publication date: 27/09/2023
- Affected software: Exim
- Affected versions: All supported versions, from 4.0 to 4.96.
CVE | CVSS and description |
CVE-2023-42115 | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Remote code execution from a write past the end of a buffer while handling AUTH commands. |
CVE-2023-42117 | 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Remote code execution from an improper neutralization of special elements, producing a memory corruption condition. |
CVE-2023-42116 | 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Remote code execution from a stack-based buffer overflow while handling NTLM challenge requests. |
CVE-2023-42118 | 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Remote code execution affecting the Exim library libspf2, while processing SPF macros, which does not properly validate an integer. |
CVE-2023-42114 | 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Information disclosure while reading ouf-of-bounds from a data structure while handling NTLM challenge requests. |
CVE-2023-42119 | 3.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Information disclosure of dnsdb while reading out-of-bounds from the buffer. |
The most critical vulnerability is CVE-2023-42115, which affects the SMTP service. It is an out-of-bounds write when handling AUTH commands. It is the consequence of incorrect input data validation. This vulnerability can be exploited without requiring authentication with the goal of executing code under the context of the account with which the service is running.
As of September 30, 2023, no further technical details, nor public exploits related to the different vulnerabilities have been released. Also, there is no evidence that they are being actively exploited at this time. However, it is to be expected that this situation will change over the days.
Mitigating Exim vulnerabilities and CVE-2023-42115
Although it has taken some time, the organization that develops Exim has published an official statement with more information, as it has done in the past in its security section.
Exim plans to distribute a security patch (exim-4.96.1 and 4.97) on 02/10/2023 to mitigate the following vulnerabilities:
- CVE-2023-42114 (NTLM Out of bounds read)
- CVE-2023-42115 (AUTH Out of bounds write)
- CVE-2023-42116 (SMTP Challenge Bof).
The rest of the vulnerabilities are not yet fixed and are still being evaluated by the Exim team, although they have already defined certain recommendations that require changes to the service configuration to mitigate them.
Recomendations
The following recommendations are made to reduce the exposure to exploitation of the vulnerabilities described in this document:
- If possible, stop the Exim service until the 4.96.1 or 4.97 version can be deployed.
- If it is not possible to stop the service, implement a firewall to limit connections to the SMTP service to trusted IP addresses only.
- Monitor logs for suspicious activity, such as failed authentication attempts or unexpected connections from unusual IP addresses.
- Apply security patches to Exim as soon as they are available. Exim-4.96.1 tarballs on https://ftp.exim.org/pub/exim/exim4/ and in the GIT branches git://git.exim.org (spa-auth-fixes, exim-4.96+security, and exim-4.96.1+fixes).
Regarding the unfixed vulnerabilities, the current recommendations are as follows:
- Do not deploy Exim behind an untrusted proxy protocol (CVE-2023-42117)
- Do not use ‘spf’ as a condition in ACLS (CVE-2023-42118) and evaluate if this vulnerability is fixed through libspf2
- Use a trusted DNS resolver (CVE-2023-42119)
Tarlogic recommends that all organizations with Exim servers take immediate action to mitigate the risk of exploitation of these vulnerabilities.
Detecting Exim vulnerabilities
Currently, no exploits or proof-of-concept have been published for the different vulnerabilities. Despite this, given that all instances of Exim are affected, it is enough to identify the software to confirm its affectation.
As part of its emerging vulnerability service, Tarlogic proactively monitors its clients’ perimeters to inform, detect, and urgently notify of the presence of this vulnerability, as well as other critical threats that could cause a serious impact on the security of their assets.
References:
- https://www.exim.org
- https://www.exim.org/static/doc/security/CVE-2023-zdi.txt
- https://www.exim.org/static/doc/security/
- http://www.securityspace.com/s_survey/data/man.201905/mxsurvey.html
- https://www.cybersecurity-help.cz/vdb/SB2023092821
- https://thehackernews.com/2023/09/new-critical-security-flaws-expose-exim.html
- https://www.zerodayinitiative.com/advisories/published/
- https://www.openwall.com/lists/oss-security/2023/10/01/4