ALERT — New 21Nails Exim Bugs Expose Hundreds of thousands of Electronic mail Servers to Hacking

The maintainers of Exim have released patches to remediate as many as 21 safety vulnerabilities in its software program that might allow unauthenticated attackers to realize full distant code execution and acquire root privileges.

Collectively named ’21Nails,’ the failings embody 11 vulnerabilities that require native entry to the server and 10 different weaknesses that may very well be exploited remotely. The problems have been found by Qualys and reported to Exim on Oct. 20, 2020.

“A few of the vulnerabilities will be chained collectively to acquire a full distant unauthenticated code execution and acquire root privileges on the Exim Server,” Bharat Jogi, senior supervisor at Qualys, stated in public disclosure. “Many of the vulnerabilities found by the Qualys Analysis Group for e.g. CVE-2020-28017 impacts all variations of Exim going again all the way in which to 2004.”

password auditor

Exim is a well-liked mail switch agent (MTA) used on Unix-like working techniques, with over 60% of the publicly reachable mail servers on the Web operating the software program. A Shodan search reveals almost 4 million Exim servers which can be uncovered on-line.

A fast abstract of the 21 bugs is listed beneath. If efficiently exploited, they may very well be used to tweak electronic mail settings and even add new accounts on the compromised mail servers. Technical specifics concerning the flaws will be accessed here.

Native vulnerabilities:

  • CVE-2020-28007: Hyperlink assault in Exim’s log listing
  • CVE-2020-28008: Assorted assaults in Exim’s spool listing
  • CVE-2020-28014: Arbitrary file creation and clobbering
  • CVE-2021-27216: Arbitrary file deletion
  • CVE-2020-28011: Heap buffer overflow in queue_run()
  • CVE-2020-28010: Heap out-of-bounds write in predominant()
  • CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
  • CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
  • CVE-2020-28015: New-line injection into spool header file (native)
  • CVE-2020-28012: Lacking close-on-exec flag for privileged pipe
  • CVE-2020-28009: Integer overflow in get_stdinput()

Distant vulnerabilities:

  • CVE-2020-28017: Integer overflow in receive_add_recipient()
  • CVE-2020-28020: Integer overflow in receive_msg()
  • CVE-2020-28023: Out-of-bounds learn in smtp_setup_msg()
  • CVE-2020-28021: New-line injection into spool header file (distant)
  • CVE-2020-28022: Heap out-of-bounds learn and write in extract_option()
  • CVE-2020-28026: Line truncation and injection in spool_read_header()
  • CVE-2020-28019: Failure to reset operate pointer after BDAT error
  • CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
  • CVE-2020-28018: Use-after-free in tls-openssl.c
  • CVE-2020-28025: Heap out-of-bounds learn in pdkim_finish_bodyhash()

In gentle of the latest Microsoft Exchange server hacks, it is crucial the patches are utilized instantly, as electronic mail servers have emerged as a profitable goal for espionage campaigns. Previously, flaws in Exim software program have been actively exploited by dangerous actors to mount a wide range of assaults, together with deploying a Linux worm to put in cryptocurrency miners on affected servers.

Final Could, the U.S. Nationwide Safety Company (NSA) warned that Russian navy operatives, publicly often known as Sandworm Group, have been profiting from a distant code execution vulnerability tracked as CVE-2019-10149 (aka The Return of the WIZard) to “add privileged customers, disable community safety settings, execute extra scripts for additional community exploitation” at the very least since August 2019.

The NSA called it an “attacker’s dream entry.”

“Mail Switch Brokers are attention-grabbing targets for attackers as a result of they’re often accessible over the web,” Jogi stated. “As soon as exploited, they might modify delicate electronic mail settings on the mail servers, permit adversaries to create new accounts on the goal mail servers.”

Source link