What is Exim Mail? #
Exim mail is an open source, message transfer agent (MTA) that runs on Unix/Linux operating systems. Exim is also the default MTA configured on Debian Linux distributions.
Latest Exim Mail vulnerability #
On September 27th 2023, Trend Micro's Zero Day Initiative (ZDI) published details of a critical zero-day vulnerability that allows an unauthenticated attacker the ability to remotely execute arbitrary code within the context of an Exim SMTP service account. In addition, ZDI disclosed five additional zero-day vulnerabilities with lower severity rankings:
- CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVSS v3.0 8.1)
- CVE-2023-42117: Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability (CVSS v3.0 8.1)
- CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability (CVSS v3.0 7.5)
- CVE-2023-42119: Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.1)
- CVE-2023-42114: Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.7)
Are updates available? #
Recently, maintainers of the Exim mail server issued a 4.96.1 patch that appears to resolve four of the six vulnerabilities listed above. Although the maintainers are still working to resolve the remaining vulnerabilities, if you are running Exim mail servers on your network, you should apply the security patch immediately.
How do I find potentially vulnerable Exim mail servers with runZero? #
A Shodan search showed nearly 3.5 million Exim servers exposed to the internet. Their accessibility makes these mail transfer agents targets for attackers.
With runZero, you can find Exim mail servers in your inventory with this pre-built query. This query searches for any live asset that has the exim product exposed over SMTP.
product:exim
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
