CarderPlanet
Professional
- Messages
- 2,552
- Reaction score
- 684
- Points
- 83
Specialists of the Trend Micro Zero Day Initiative (ZDI) have warned about several vulnerabilities in the Exim message forwarding agent. The most serious of these problems affects all versions of Exim and allows you to achieve remote code execution without authentication.
To make matters worse, Exim is used by hundreds of thousands or even millions of mail servers around the world. So, according to Security Space, Exim is installed on more than 56% of mail servers (342,337) found on the Internet. According to Shodan, there are more than 3.5 million servers in the world with Exim on board.
Vulnerability CVE-2023-42115 (9.8 points on the CVSS scale) was discovered by a researcher who chose to remain anonymous. The problem is related to an out-of-bounds entry in the Exim component, which is responsible for authentication, and can be used to remotely execute code or commands on vulnerable servers.
"The vulnerability is related to the smtp service, which by default listens on TCP port 25," ZDI experts report. — The problem occurs due to a lack of proper verification of the data provided by the user, which can lead to writing out of the buffer. An attacker can use this vulnerability to execute code in the context of a service account."
At the same time, the security bulletin states that ZDI experts notified Exim developers about this vulnerability back in June 2022, and also re-sent information about the problem at their request in May 2023. However, the developers did not provide any information about working on the patch. As a result, ZDI decided to make public information about this problem.
In addition to this 0-day bug, ZDI revealed information about five other vulnerabilities in Exim at once:
* CVE-2023-42114 (3.7 CVSS score) - Exim NTLM Challenge vulnerability related to out-of-bounds reading and information disclosure;
* CVE-2023-42116 (CVSS score 8.1) - Exim SMTP Challenge vulnerability related to buffer overflow and remote code execution;
* CVE-2023-42117 (8.1 points on the CVSS scale) — another RCE vulnerability associated with incorrect neutralization of special elements;
* CVE-2023-42118 (7.5 points on the CVSS scale) - Exim libspf2 vulnerability related to integer anti-refillability and also leading to remote code execution;
* CVE-2023-42119 (3.1 CVSS score) - Exim dnsdb vulnerability related to out-of-bounds reading and information disclosure.
Only after the publication of this long list of bugs, one of the Exim developers reported in the OSS-Sec newsletter that fixes for the two most dangerous vulnerabilities (as well as for the third, less serious one) are already available in a "secure repository and ready for use by distribution maintainers."
More detailed information about the patches, as well as how exactly administrators will receive them, was not received. It is also not known whether there are any other remedies for these problems for those who can't install fixes right away.
At the same time, in the mentioned newsletter, Exim developers confirm that they received the first private report from ZDI back in June 2022, after which they requested additional details, "but did not receive any answers that could be worked with."
The next contact between ZDI and developers took place only in May 2023, and after that work began on patches for three of the six vulnerabilities. "The remaining issues are controversial or do not contain the information necessary to resolve them," the developers write.
In turn, ZDI responds that the deadline for disclosure of information was already exceeded by many months.
"We notified the maintainers of our intention to publicly disclose information about these errors, after which we were told:' do what you do, ' "ZDI reports. "If the bugs are properly addressed, we will update our recommendations by adding links to security bulletins, inspections, and any other publicly available documentation related to these issues."
So far, ZDI advises administrators to restrict remote access from the Internet to prevent possible hacking attempts.
As a result, both ZDI specialists and Exim developers were criticized by information security specialists. For example, an expert known as Solar Designer writes:
"It seems that these vulnerabilities were treated carelessly on both the ZDI and Exim side. Neither team pinged the other for 10 months, and it took Exim four months to fix even the two issues where they received sufficient information."
To make matters worse, Exim is used by hundreds of thousands or even millions of mail servers around the world. So, according to Security Space, Exim is installed on more than 56% of mail servers (342,337) found on the Internet. According to Shodan, there are more than 3.5 million servers in the world with Exim on board.
Vulnerability CVE-2023-42115 (9.8 points on the CVSS scale) was discovered by a researcher who chose to remain anonymous. The problem is related to an out-of-bounds entry in the Exim component, which is responsible for authentication, and can be used to remotely execute code or commands on vulnerable servers.
"The vulnerability is related to the smtp service, which by default listens on TCP port 25," ZDI experts report. — The problem occurs due to a lack of proper verification of the data provided by the user, which can lead to writing out of the buffer. An attacker can use this vulnerability to execute code in the context of a service account."
At the same time, the security bulletin states that ZDI experts notified Exim developers about this vulnerability back in June 2022, and also re-sent information about the problem at their request in May 2023. However, the developers did not provide any information about working on the patch. As a result, ZDI decided to make public information about this problem.
In addition to this 0-day bug, ZDI revealed information about five other vulnerabilities in Exim at once:
* CVE-2023-42114 (3.7 CVSS score) - Exim NTLM Challenge vulnerability related to out-of-bounds reading and information disclosure;
* CVE-2023-42116 (CVSS score 8.1) - Exim SMTP Challenge vulnerability related to buffer overflow and remote code execution;
* CVE-2023-42117 (8.1 points on the CVSS scale) — another RCE vulnerability associated with incorrect neutralization of special elements;
* CVE-2023-42118 (7.5 points on the CVSS scale) - Exim libspf2 vulnerability related to integer anti-refillability and also leading to remote code execution;
* CVE-2023-42119 (3.1 CVSS score) - Exim dnsdb vulnerability related to out-of-bounds reading and information disclosure.
Only after the publication of this long list of bugs, one of the Exim developers reported in the OSS-Sec newsletter that fixes for the two most dangerous vulnerabilities (as well as for the third, less serious one) are already available in a "secure repository and ready for use by distribution maintainers."
More detailed information about the patches, as well as how exactly administrators will receive them, was not received. It is also not known whether there are any other remedies for these problems for those who can't install fixes right away.
At the same time, in the mentioned newsletter, Exim developers confirm that they received the first private report from ZDI back in June 2022, after which they requested additional details, "but did not receive any answers that could be worked with."
The next contact between ZDI and developers took place only in May 2023, and after that work began on patches for three of the six vulnerabilities. "The remaining issues are controversial or do not contain the information necessary to resolve them," the developers write.
In turn, ZDI responds that the deadline for disclosure of information was already exceeded by many months.
"We notified the maintainers of our intention to publicly disclose information about these errors, after which we were told:' do what you do, ' "ZDI reports. "If the bugs are properly addressed, we will update our recommendations by adding links to security bulletins, inspections, and any other publicly available documentation related to these issues."
So far, ZDI advises administrators to restrict remote access from the Internet to prevent possible hacking attempts.
As a result, both ZDI specialists and Exim developers were criticized by information security specialists. For example, an expert known as Solar Designer writes:
"It seems that these vulnerabilities were treated carelessly on both the ZDI and Exim side. Neither team pinged the other for 10 months, and it took Exim four months to fix even the two issues where they received sufficient information."
