Security researchers find 21 vulnerabilities in email server software Exim
Qualys security researchers have found a series of vulnerabilities in email server software Exim. These are 21 vulnerabilities collectively known as 21Nails. They can be deployed locally or remotely.
Of the 21 bugs in Exim, eleven can be exploited locally, but ten can also be exploited remotely. In some cases it is a Local privilege escalation, but in other cases it is the ability to create or delete files. Qualys warns that the various bugs can be linked together to perform full, unauthenticated remote code execution.
Some of the bugs are already quite old. For example, there is a bug, CVE-2020-28017, that comes from an Exim version from 2014. According to Qualys, the vulnerabilities affect all Exim versions prior to 4.94.1. The company already contacted Exim’s administrators in October. That has since released patches, and advises administrators to implement them as soon as possible.
Exim is popular software to manage mail servers. The software is estimated to run on 3.6 million servers. In 2019, vulnerable servers were already attacked by a vulnerability that gave root access via ssh.
| CVE-2020-28007 | Link attack in Exims log directory | Local |
| CVE-2020-28008 | Attack in spool directory | Local |
| CVE-2020-28014 | Random file customization | Local |
| CVE-2021-27216 | Random File Deletion | Local |
| CVE-2020-28011 | Heap buffer overflow in queue_run() | Local |
| CVE-2020-28010 | Heap out of bounds write in main() | Local |
| CVE-2020-28013 | Heap buffer overflow in parse_fix_phrase() | Local |
| CVE-2020-28016 | Heap out-of-bounds write in parse_fix_phrase() | Local |
| CVE-2020-28015 | Newline injection in spool header file | Local |
| CVE-2020-28012 | Missing close-on-exec flag | Local |
| CVE-2020-28009 | Integer overflow in get_stdinput() | Local |
| CVE-2020-28017 | Integer overflow in receive_add_recipient() | remote |
| CVE-2020-28020 | Integer overflow in receive_msg() | remote |
| CVE-2020-28023 | Out of bounds read in smtp_setup_msg() | remote |
| CVE-2020-28021 | Newline injection in spool header file | remote |
| CVE-2020-28022 | Heap out-of-bounds read and write in extract_option() | remote |
| CVE-2020-28026 | Line truncation and injection in spool_read_header() | remote |
| CVE-2020-28019 | Missing Function pointer reset after BDAT error | remote |
| CVE-2020-28024 | Heap buffer underflow in smtp_ungetc() | remote |
| CVE-2020-28018 | Use-after-free in tls-openssl.c | remote |
| CVE-2020-28025 | Heap out-of-bounds read in pdkim_finish_bodyhash() | remote |