Critical 21Nails Exim Bug Exposes Millions of Email Servers

Joe Griffiths
Blue Team Leader, CyberGuard Technologies

CyberGuard has recently been alerted to a new series of vulnerabilities affecting Exim Mail Servers, with these vulnerabilities publicly disclosed on 4 May 2021.

Exim is a popular mail transfer agent (MTA) used on Unix-based operating systems, with approximately 60% of the publicly accessible mail servers running the software at this time, with an open source search revealing nearly 3.5 million Exim servers that are vulnerable and online.

The “21Nails” Bug, exposes 21 different vulnerabilities in Exim, 11 that require local access and 10 that can be exploited remotely.

A summary of the vulnerabilities in Exim, that can be exploited by 21Nails, is listed below.

Local vulnerabilities:

  • CVE-2020-28007: Link attack in Exim's log directory
  • CVE-2020-28008: Assorted attacks in Exim's spool directory
  • CVE-2020-28014: Arbitrary file creation and clobbering
  • CVE-2021-27216: Arbitrary file deletion
  • CVE-2020-28011: Heap buffer overflow in queue_run()
  • CVE-2020-28010: Heap out-of-bounds write in main()
  • CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
  • CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
  • CVE-2020-28015: New-line injection into spool header file (local)
  • CVE-2020-28012: Missing close-on-exec flag for privileged pipe
  • CVE-2020-28009: Integer overflow in get_stdinput()

Remote vulnerabilities:

  • CVE-2020-28017: Integer overflow in receive_add_recipient()
  • CVE-2020-28020: Integer overflow in receive_msg()
  • CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
  • CVE-2020-28021: New-line injection into spool header file (remote)
  • CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
  • CVE-2020-28026: Line truncation and injection in spool_read_header()
  • CVE-2020-28019: Failure to reset function pointer after BDAT error
  • CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
  • CVE-2020-28018: Use-after-free in tls-openssl.c
  • CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()



Many of these vulnerabilities are yet to be assigned a priority-based score (CVSS), however after initial evaluation CyberGuard recommends that particular care is made with CVE-2020-28018, which allows for a server to be compromised through the use of default settings when the Exim server is built with OpenSSL.

Recommendation

The maintainers of Exim have released patches to remediate the security vulnerability set disclosed in its software and as a result CyberGuard highly recommends patching all Unix-based Exim Mail Servers to version 4.94.2 as a priority.