Warning: Multiple Zero-day Vulnerabilities Found in Exim Message Transfer Agent (MTA)
Exim Message Transfer Agent (MTA)
Remote Code Execution (RCE)
CVE-2023-42115: 9.8 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-42116: 8.1 (CVSS3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-42117: 8.1 (CVSS3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-42118: 7.5 (CVSS3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
The vulnerabilities require a non-default configuration to be exploited. If you are vulnerable depends on the setup of your specific environment. Check If you are using any of the affected modules!
Multiple zero-day vulnerabilities have been found In the Exim Message Transfer Agent (MTA.) These vulnerabilities could allow for an unauthenticated remote attacker to potentially gain Remote Code Execution (RCE) without user interaction, and lead to a compromise of your server.
Exim MTA Is a popular mail software for Unix-like operating systems, and the default MTA on Debian Linux.
Six different zero-day vulnerabilities were Identified in Exim MTA. Four have a score of 7.5 or higher. Three vulnerabilities are related to authentication. Whether your system Is vulnerable depends on the modules that are in use.
CVE-2023-42115: CVSS: 9.8 An Out-Of-Bounds Write Remote Code Execution Vulnerability In the external authentication module.
CVE-2023-42116 CVSS: 8.1 SMTP Challenge Stack-based Buffer Overflow in the SPA (NTLM) authentication module.
CVE-2023-42117 CVSS: 8.1 Improper Neutralization of Special Elements In the proxy-protocol module when using Exim MTA behind an untrusted proxy protocol (not socks.)
CVE-2023-42118 CVSS: 7.5 There is an Integer Underflow in libspf2 when parsing SPF macros In ACLs.
The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:
- Verify If you are using any of the affected modules In Exim MTA.
- Update Exim MTA to version exim-4.96.1 ore newer If the update Is available for your system.
- Apply the recommended mitigations If no update Is available: disable the affected modules.
https://www.zerodayinitiative.com/advisories/ZDI-23-1469/ https://www.zerodayinitiative.com/advisories/ZDI-23-1470/ https://www.zerodayinitiative.com/advisories/ZDI-23-1471/ https://www.zerodayinitiative.com/advisories/ZDI-23-1472/