Maksim Kabakou - Fotolia
Cloud security vendor Qualys discovered 21 vulnerabilities in popular mail transfer agent Exim, 10 of which can be executed remotely.
In the blog post Tuesday disclosing the vulnerabilities, Qualys senior manager of vulnerability and threat research Bharat Jogi wrote that "some [of the vulnerabilities] can be chained together to obtain full remote unauthenticated code execution and gain root privileges." Cumulatively named "21Nails," the Exim vulnerabilities were discovered in a code audit conducted by Qualys last fall, except for one that was discovered in February.
Jogi wrote that most of the vulnerabilities discovered by Qualys impact all Exim versions "going back all the way to 2004," meaning that most vulnerabilities have been present for 17 years. He also pointed out that there are millions of known exposed Exim servers, according to a Shodan search, and a SecuritySpace survey from March estimated that 60% of visible mail servers utilize Exim.
The blog includes a proof-of-concept video as well as a list of CVEs and a timeline of events. While 10 of the vulnerabilities can be executed remotely, 11 require local access.
According to the timeline, the first vulnerabilities were reported on Oct. 20 of last year to maintainers of the open source mail transfer agent. The Qualys research team worked closely with Exim maintainers over the following months in reporting security issues, reviewing patches and working on their own patches.
Jogi told SearchSecurity in an email that every vulnerability has been patched, and that Qualys created 26 patches for Exim. He also said that while Qualys has not seen any exploitation of the 21Nails vulnerabilities firsthand, they are old enough that "there is good chance they could be exploited by nation state actors."
Exim users have had an ongoing issue with patching vulnerabilities, as one 2019 remote code execution flaw, CVE-2019-10149, was reportedly exploited by Russian APT sandworm at least as recently as last summer. Several security vendors and researchers noted that several hundred thousand Exim email servers had not patched CVE-2019-10149, which was also discovered by Qualys, and were exposed on the internet.
Alexander Culafi is a writer, journalist and podcaster based in Boston.