A security bug has been discovered in millions of Exim servers that could be exploited to give potential attackers the ability to execute malicious code with root privileges.
The Exim team revealed in a recent advisory that all of its servers running version 4.92.1 or earlier were vulnerable, although the company released version 4.92.2 to address this vulnerability.
If you are unfamiliar with Exim, the software is a mail transfer agent (MTA) that runs in the background on mail servers. In addition to helping send and receive messages, mail servers also serve as relays for other users' emails, which the MTA helps manage.
Exim is currently the most popular MTA, due in large part to the fact that the software comes with many popular Linux distributions, including Debian and Red Hat.
Exim vulnerability
If an Exim server is configured to accept incoming TLS connections, an attacker can send a malicious null sequence of backslash tied to the end of an SNI packet, allowing them to execute malicious code with root privileges.
A security researcher named Zerons discovered the problem and reported it to Exim in early July. Since then, the company has secretly tried to fix the vulnerability due to its severity and the number of servers likely to be exposed to a potential attack.
Fortunately, the vulnerability can be mitigated by disabling TLS support on all Exim servers, although this hotfix exposes plain text message traffic, making it vulnerable to interception and discovery attacks. However, if you have an Exim server and reside in the EU, this solution is not recommended as it could lead to data leaks and fines under the GDPR.
TLS support is not enabled by default for Exim installations, unlike the Exim instances that ship with Linux distributions. Also, the Exim instances provided with cPanel also support TLS by default, but cPanel has already integrated the Exim patch in an update that they have started rolling out to customers.
If you are unsure of the TLS status of your Exim servers, it is strongly recommended to install the Exim patch, as this is the only way to completely avoid exploiting the vulnerability on your server.
Through ZDNet