A veritable cornucopia of security vulnerabilities in the Exim mail server have been uncovered, some of which could be chained together for unauthenticated remote code execution (RCE), gaining root privileges and worm-style lateral movement, according to researchers.
The Qualys Research Team has discovered a whopping 21 bugs in the popular mail transfer agent (MTA), which was built to send and receive email on major Unix-like operating systems. It comes pre-installed on Linux distributions such as Debian, for instance.
Join Threatpost for âFortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacksâ a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.
âMTAs are interesting targets for attackers because they are usually accessible over the internet,â according to the Qualys analysis, issued on Tuesday. âOnce exploited, they could modify sensitive email settings on the mail servers, allow adversaries to create new accounts on the target mail servers,â Qualys Senior Manager of Vulnerabilities Bharat Jogi said in a post.
Researchers said that according to a Shodan search, nearly 4 million Exim servers are directly exposed to the internet.
Out of the 21 vulns, which Qualys collectively dubbed â21 Nails,â 10 of them can be exploited remotely. And, most of them can be exploited in either default configuration or âin a very common configuration,â according to Qualys. Also, most of them affect all versions of Exim going back to its inception in 2004.
âExim Mail Servers are used so widely and handle such a large volume of the internetâs traffic that they are often a key target for hackers,â Jogi said, noting that last year, a vulnerability in Exim was a target of the Russian advanced persistent threat (APT) known as Sandworm.
He added, âThe 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system â allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts and change sensitive settings on the mail servers. Itâs imperative that users apply patches immediately.â
Qualys researchers wrote and tested the patches, Jogi told Threatpost; and the âofficialâ patches from Exim are modified versions of those (those interested can review both for reference and comparison). Exim provided packagers and maintainers (including distros@openwall) with access to its security Git repository for updates.
As far as the patching status for various Linux distributions goes, Jogi said that the most widely used (CentOS, RHEL and SuSE), have already rolled out fixes. Debian, meanwhile, isnât vulnerable in the âoldstableâ (codename Stretch), âstableâ (Buster) or âStill-in-developmentâ (Sid) versions. However, the âunstableâ (Bullseye) version is vulnerable â and has not been patched as of the time of writing.
As for other distros, âItâs hard to tell since there are hundreds of distributions, and itâs their responsibility to be up-to-date,â he told Threatpost.
As for in-the-wild exploitation, âwe havenât seen evidence of exploitation of these vulnerabilities first-hand, but given that most of the vulnerabilities were introduced as far back 2004, there is good chance they could be exploited by nation-state actors,â he added.
The remotely exploitable bugs are:
These are the local bugs:
According to the advisory, an unauthenticated, remote attacker could chain some of these together to create a potentially wormable exploit that would result in privilege escalation to root, resulting in the ability to execute commands to install programs, modify data and create new accounts.
Qualys is not releasing any full proof-of-concept exploits; however, it did provide various code blocks and plenty of technical details within its analysis.
Researchers said that the CVE-2020-28018 use-after-free bug is the most powerful vulnerability out of the 21. Itâs exploitable if the Exim server is built with OpenSSL; and if STARTTLS is enabled and if PIPELINING is enabled (the default); and if X_PIPE_CONNECT is disabled (the default before Exim 4.94).
It affects the tls_write() in tls-openssl.c function, according to Qualys, and can be exploited in various ways by remote attackers using a struct gstring (server_corked) and its string buffer (server_corked->s):
Another of the vulnerabilities of note is CVE-2020-28020, an integer overflow that allows an unauthenticated remote attacker to execute arbitrary commands as the âeximâ user and snoop data.
It exists in the in receive_msg() function, researchers said, and while powerful, itâs also the most difficult to exploit out of the 21 Nails group, and requires three separate mails to be sent to a target within the same SMTP session.
âBy default, Exim limits the size of a mail header to 1MB,â according to the advisory. âUnfortunately, an attacker can bypass this limit by sending only continuation lines (i.e., â\nâ followed by â â or â\tâ), thereby overflowing the integer header_size.â
However, âwhen the integer header_size overflows, it becomes negativeâŚbut we cannot exploit the resulting back-jumpâŚbecause the free size of the current memory block also becomes negativeâŚwhich prevents us from writing to this back-jumped memory block,â researchers explained. âTo overflow the integer header_size, we must send 1GB to Exim: Consequently, our exploit must succeed after only a few tries (in particular, we cannot brute-force ASLR).â
Either of these vulnerabilities can be used by unauthenticated attackers to gain initial access as an âeximâ user on the mail server. Once thatâs achieved, a bouquet of local privilege escalation (LPE) flaws are on offer to gain full root privileges.
The privilege-escalation options include CVE-2020-28007, which allows a link attack in Eximâs log directory.
The Exim binary is set-user-ID-root, and Exim operates as root in its log directory, which belongs to the âeximâ user. So, an attacker with the privileges of the âeximâ user can create a symlink (or a hardlink) in the log directory, append arbitrary contents to an arbitrary file and escalate permissions, according to Qualys.
Adversaries could also use CVE-2020-28008 for assorted attacks in Eximâs spool directory, researchers noted. These various vectors include: Directly writing to a spool header file (in the âinputâ subdirectory); creating a long-named file in the âdbâ subdirectory to overflow a stack-based buffer, or creating a symlink (or a hardlink) in the âdbâ subdirectory to take ownership of an arbitrary file.
Other options for LPE to root are CVE-2020-28011 and CVE-2020-28013, both heap buffer-overflow issues; CVE-2020-28010 and CVE-2020-28016, both heap out-of-bounds writes; or CVE-2020-28009, an integer overflow in get_stdinput().
Most of the vulnerabilities in the advisory are easy-to-exploit memory corruptions that can get around various protections such as ASLR, NX and malloc hardening, according to Qualys.
âEximâs memory allocatorâŚunintentionally provides attackers with powerful exploit primitives,â researchers said. âIn particular, if an attacker can pass a negative size to the allocator (through an integer overflow or direct control), then store_get() believes that the current block of memory is large enough (because size is negative), andâŚas a result, store_get()âs caller can overflow the current block of memory.â
As a result, the next memory allocation can overwrite the beginning of Eximâs heap. This is âa relative write-what-where, which naturally bypasses ASLR (a âbackward-jumpâ or âback-jumpâ),â according to the analysis.
Because of this, some of the bugs in the writeup can be McGyvered to allow arbitrary code execution.
âThe beginning of the heap contains Eximâs configuration, which includes various strings that are passed to expand_string() at run time,â researchers explained. âConsequently, an attacker who can back-jump can overwrite these strings with â${run{âŚ}}â and execute arbitrary commands (thus bypassing NX).â
One other interesting bug is CVE-2020-28021, a new-line injection into the spool header file that also allows RCE when chained with other issues.
âAn authenticated SMTP client can add an AUTH= parameter to its MAIL FROM command. This AUTH= parameter is decoded by auth_xtextdecode() and the resulting authenticated_sender is written to the spool header file without encoding or escaping,â according to the advisory. âUnfortunately, authenticated_sender can contain arbitrary characters, so an authenticated remote attacker can inject new lines into the spool header file and execute arbitrary commands, as root.â
This vulnerability is particularly problematic for ISPs and mail providers that deploy Exim and offer mail accounts but not shell accounts, researchers added; and, it can be chained with an authentication bypass such as CVE-2020-12783, discovered by Orange Tsai in May 2020, for a full RCE-plus-LPE attack. Further, it can be used for information disclosure.
Join Threatpost for âFortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacksâ â a LIVE roundtable event on** Wed, May 12 at 2:00 PM EDT**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.
blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
bugs.exim.org/show_bug.cgi?id=2571
en.wikipedia.org/wiki/List_of_Linux_distributions
security-tracker.debian.org/tracker/source-package/exim4
threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/
threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar
threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar
threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar
threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar
threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar
www.qualys.com/2021/05/04/21nails/21nails.patch
www.qualys.com/2021/05/04/21nails/21nails.txt
www.shodan.io/