After we have received some inquiries regarding the current Exim security vulnerabilities, we would like to inform all interested parties here and explain why SecuMail protects against the Exim exploits.

Where is Exim used?

Exim is a very common mail transfer agent (MTA) that is used in particular for security and antispam services (including the Sophos Security Appliance) as well as freemailers and Linux servers. Exim is also installed as a default MTA on Debian servers. It is also pre-installed on root servers by many major hosting providers (e.g. Hetzner, Strato).

 

Why are these vulnerabilities so dangerous?

Qualys announces that according to a recent survey, about 60% of mail servers on the Internet use Exim. It is estimated that around 4 million Exim installations are currently directly accessible via the Internet and are therefore vulnerable. About half of the 21 known vulnerabilities allow an attacker from the Internet to execute code on one of these servers and gain root privileges. The vulnerabilities have apparently been present for many years, but were only recently found during a security audit.

 

What security vulnerabilities are involved?

The vulnerabilities occur on all Exim servers older than version 4.94.2. There are currently 21 security vulnerabilities, also called “21Nails”. Of these, 11 can be exploited locally and 10 via the network (!).

The 10 Remotely Exploitable Vulnerabilities:

• CVE-2020-28017: Integer overflow in receive_add_recipient()
• CVE-2020-28020: Integer overflow in receive_msg()
• CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
• CVE-2020-28021: New-line injection into spool header file (remote)
• CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
• CVE-2020-28026: Line truncation and injection in spool_read_header()
• CVE-2020-28019: Failure to reset function pointer after BDAT error
• CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
• CVE-2020-28018: Use-after-free in tls-openssl.c
• CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

 

Does SecuMail protect against this?

As far as is known so far, these vulnerabilities can only be exploited via a direct SMTP connection to the Exim service. If SecuMail (or a service other than MX-based gateway) is connected to the Exim server, attacks come to nothing, even if the vulnerabilities have not yet been patched. The prerequisite is that you have configured your firewall in such a way that SMTP connections are only accepted by the SecuMail servers.

SecuMail itself uses a different MTA software and is therefore not vulnerable itself.

 

How else can you protect yourself?

We recommend patching all Exim installations whose ports are directly accessible from the Internet immediately. Patches should be available for common Linux distributions. You must clarify what the situation is with your security appliance in the server room or with your hoster with the respective manufacturer.

 

 

If you have any questions or requests, we will of course be happy to assist you. Contact us by e-mail at support@secumail.de or by phone at +49 (0) 8171-246920!

 

 

 

Sources:

https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-216469.pdf
https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
https://www.qualys.com/2021/05/04/21nails/21nails.txt
https://github.com/lmol/CVE-2020-28018