Lucene search

The Hacker NewsTHN:867E3443BD6CBE29C2C3460A79DE442F

HistoryJul 12, 2024 - 10:51 a.m.

Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments

2024-07-1210:51:00

The Hacker News

thehackernews.com

exim mail server

vulnerability disclosure

malicious attachments

cve-2024-39929

cvss score

version 4.98

remote attackers

mail transfer agent

unix os

attack surface management

public-facing servers

vulnerable instances

u.s.

russia

canada

filename extension blocking

censys

information disclosure

remote code execution

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

AI Score

7.3

Confidence

Low

JSON

A critical security issue has been disclosed in the Exim mail transfer agent that could enable threat actors to deliver malicious attachments to target users’ inboxes.

The vulnerability, tracked as CVE-2024-39929, has a CVSS score of 9.1 out of 10.0. It has been addressed in version 4.98.

“Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users,” according to a description shared on the U.S. National Vulnerability Database (NVD).

Exim is a free, mail transfer agent that’s used in hosts that are running Unix or Unix-like operating systems. It was first released in 1995 for use at the University of Cambridge.

Attack surface management firm Censys said 4,830,719 of the 6,540,044 public-facing SMTP mail servers are running Exim. As of July 12, 2024, 1,563,085 internet-accessible Exim servers are running a potentially vulnerable version (4.97.1 or earlier).

A majority of the vulnerable instances are located in the U.S., Russia, and Canada.

“The vulnerability could allow a remote attacker to bypass filename extension blocking protection measures and deliver executable attachments directly to end-users’ mailboxes,” it noted. “If a user were to download or run one of these malicious files, the system could be compromised.”

This also means that prospective targets must click on an attached executable for the attack to be successful. While there are no reports of active exploitation of the flaw, it’s essential that users move quickly to apply the patches to mitigate potential threats.

The development comes almost a year after the project maintainers a set of six vulnerabilities in Exim that could result in information disclosure and remote code execution.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.