Multiple Critical vulnerabilities in Exim, including a zero-day dubbed CVE-2023-42115, allow unauthenticated attackers to run code on affected systems, with millions of Exim mail servers exposed to the attack.
Here’s what you need to know.
What is CVE-2023-42115?
Discovered by an unidentified security researcher and disclosed through Trend Micro’s Zero Day Initiative (ZDI), CVE-2023-42115 is a critical security flaw originating from an out-of-bounds write vulnerability within the SMTP service. Upon successful exploitation, this particular vulnerability has the potential to cause software crashes or data corruption. Additionally, malicious actors can exploit it to execute code or commands on servers that are susceptible to this weakness.
According to a ZDI security advisory, the flaw is present in the SMTP service, which typically operates on TCP port 25. The issue arises from the inadequate validation of user-provided data, allowing unauthorized write access beyond the buffer’s limits, thus providing an opening for attackers to execute code within the context of the service account. On September 27, ZDI issued an advisory, outlining the details of the CVE-2023-42115 zero-day and presenting a comprehensive timeline of all communications with the Exim team.
Originating from the University of Cambridge, Exim is a Message Transfer Agent (MTA) tailored for Unix systems linked to the internet. As open-source software, it serves as a notable substitute for Sendmail. Within Debian distributions, Exim holds the position of the default MTA. Notably, it stood out as the leading MTA on the internet in 2019, boasting a substantial 57% installation rate, as revealed in the MX Mail Server Survey conducted by SecuritySpace.
Does CVE-2023-42115 affect me?
The critical zero-day vulnerability has been found in all versions of Exim mail transfer agent (MTA) software, which can grant an unauthenticated attacker the possibility to gain remote code execution (RCE) on Internet-exposed servers.
Has CVE-2023-42115 been actively exploited in the wild?
As of October 1, 2023, no further technical details have been disclosed, nor were public exploits related to the bug released. Additionally, no evidence has yet been seen of the vulnerability being actively exploited at this time. However, it is most probable that this situation will change over the next few days.
How to fix CVE-2023-42115
Unfortunately, the developers have not provided updates on their progress in patching this issue. However, although a patch to safeguard vulnerable Exim servers from potential attacks is not yet accessible, ZDI recommended that administrators limit remote Internet access to prevent potential exploitation attempts.
“Considering the vulnerability’s nature, the most effective mitigation approach is to limit engagement with the application,” cautioned ZDI. Five other Exim zero-days have been disclosed by ZDI with unaddressed Patches and Additional Bugs Awaiting Resolution, alongside private patches and pending bug fixes:
- CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVSS v3.0 8.1)
- CVE-2023-42117: Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability (CVSS v3.0 8.1)
- CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability (CVSS v3.0 7.5)
- CVE-2023-42119: Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.1)
- CVE-2023-42114: Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.7)
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: