Mail server

21 Exim Mail Server Vulnerabilities Leave Web and Cloud Operations Exposed

Promotional article published by Digital Equipment Corporation to promote the UNIX operating system. Twenty-one vulnerabilities have been discovered in Exim Internet Mailer, a popular mail transfer agent (MTA) available for major Unix-like operating systems. (KHanger/CC BY 3.0/https://commons.wikimedia.org/wiki/File:UNIX-Licence-Plate.JPG)

Researchers released a study on Tuesday that found 21 unique vulnerabilities in the Exim mail server, some of which can be chained together to achieve full remote unauthenticated code execution and gain root privileges.

In a blog post, the Qualys research team said that these vulnerabilities affect many organizations, as approximately 60% of Internet servers run on Exim. A Shodan search run by Research revealed that nearly 4 million Exim servers are exposed to the internet.

Security professionals should also note that cloud-hosted Exim servers can be exploited, said Parag Bajaria, vice president of cloud and container security solutions at Qualys.

“There are many exploits an attacker can execute in the cloud once they gain root privileges on the virtual machine hosting the Exim server,” Bajaria said. “According to the location of the Exim server, there is another possibility of lateral movement. And if the virtual machine that hosts an Exim server has associated IAM permissions, those permissions can be further exploited for data exfiltration and IAM privilege escalation.

Exim Internet Mailer has become a popular mail transfer agent (MTA) available for major Unix-like operating systems and pre-installed on Linux distributions such as Debian.

According to Qualys researchers, attackers can exploit 10 of the vulnerabilities remotely, some of them leading to providing root privileges on the remote system. And for the other 11, attackers can exploit them locally, most of them exploited either in the default configuration or in a very common configuration.

MTAs have become attractive targets for attackers, the researchers say, because they are usually accessible over the Internet. “Once exploited, they could alter sensitive email settings on email servers and allow adversaries to create new accounts on target email servers,” the researchers said. “Last year, the Exim mail transfer agent vulnerability was targeted by Russian cyber actors officially known as the Sandworm Team.”

“The Exim vulnerability further illustrates that organizations need to adopt a layered defense strategy,” said Vishal Jain, co-founder and chief technology officer at Valtix.

“Cloud infrastructure providers don’t guard against remote execution of customer applications,” Jain said. “Cloud operations and security teams often carry this responsibility. It is imperative that enterprises protect applications in the public cloud from inbound threats with best-practice network security for inbound, outbound, east-west, and DNS traffic. Network security provides a strong defense against remote execution vulnerabilities, like what you find with Exim.