Critical flaw in Exim MTA could allow to deliver malware to users’ inboxes


Critical flaw in Exim MTA could allow to deliver malware to users’ inboxes

Pierluigi Paganini
July 12, 2024

A critical vulnerability in Exim mail server allows attackers to deliver malicious executable attachments to mailboxes.

Attackers can exploit a critical security flaw, tracked as CVE-2024-39929 (CVSS score of 9.1), in the Exim mail transfer agent to deliver malicious attachments to target users’ inboxes.

Exim is a widely used Mail Transfer Agent (MTA) designed to route, deliver, and receive email messages. Developed initially for Unix-like systems, Exim is known for its flexibility and configurability, allowing administrators to customize its behavior extensively through configuration files.

Exim versions up to 4.97.1 are affected by a vulnerability that misinterprets multiline RFC 2231 header filenames. This flaw allows remote attackers to bypass the $mime_filename extension-blocking protection, potentially delivering executable attachments to user mailboxes.

The vulnerability, tracked as CVE-2024-39929, has a CVSS score of 9.1 out of 10.0. It has been addressed in version 4.98.

“Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users,” read the advisory.

According to cyber security firm Censys, there are 6,540,044 public-facing SMTP mail servers and 4,830,719 (~74%) are running Exim.

Censys researchers state that a proof of concept (PoC) exploit for this issue exists, but there are no known active exploitations yet.

“As of July 10, 2024, Censys observes 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier), concentrated mostly in the United States, Russia, and Canada. So far, 82 public-facing servers show indications of running a patched release of 4.98.” reads the report published by Censys.

The firm released a set of queries that allow identifying Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)







Source link