According to recent findings by security researchers, more than 1.5 million email servers are currently vulnerable to a critical security flaw in the Exim mail transfer agent (MTA).
Exim is a free, mail transfer agent that’s used in hosts that are running Unix or Unix-like operating systems. It was first released in 1995 for use at the University of Cambridge.
This vulnerability tracked as CVE-2024-39929, has a severity rating of 9.1 out of 10 and poses a significant risk by allowing threat actors to bypass security protections and deliver executable attachments to user accounts.
The vulnerability, which was disclosed ten days ago, affects all versions of Exim up to and including 4.97.1. It stems from an error in the way Exim parses multiline headers as specified in RFC 2231.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
This flaw enables attackers to bypass extension-blocking mechanisms, potentially allowing them to deliver malicious executable attachments via email.
Heiko Schlittermann, a member of the Exim project team, confirmed the severity of the issue, stating, “I can confirm this bug. It looks like a serious security issue to me”.
Security firm Censys conducted an analysis revealing that out of the 6.5 million public-facing SMTP email servers, approximately 4.8 million (74%) run Exim.
More than 1.5 million servers are running a vulnerable version of the software, making them susceptible to potential attacks.
Historical Context & Risks
Although there are no known reports of active exploitation of CVE-2024-39929, the ease of attack and the large number of vulnerable servers suggest that it is only a matter of time before threat actors begin targeting this flaw.
This situation is reminiscent of a similar incident in 2019 when the Kremlin-backed hacking group Sandworm exploited a severe Exim vulnerability (CVE-2019-10149) to execute malicious code with root system rights. Those attacks began two months after the vulnerability was disclosed and continued for nearly a year.
Release Candidate 3 of Exim 4.98 contains a fix for CVE-2024-39929. Administrators are strongly advised to update their systems to this latest version to mitigate the risk of exploitation.
Despite the requirement for end users to click on an attached executable for the attack to succeed, the risk remains high due to the effectiveness of social engineering tactics commonly employed by attackers.
Administrators should prioritize updating their Exim installations to the latest version to protect against this and other vulnerabilities.
Steps to Quickly Patch
1. Identify the Vulnerability
Understand the specific vulnerability affecting your system. For Exim servers, the current critical vulnerability is tracked as CVE-2024-39929.
2. Download the Patch
Obtain the latest patch from the official Exim website or repository. For CVE-2024-39929, the fix is available in the Release Candidate 3 of Exim 4.98.
3. Backup Your System
Before applying any patches, ensure you have a complete backup of your server. This step is crucial to prevent data loss in case something goes wrong during the patching process.
4. Apply the Patch
Use the following steps to apply the patch:
For Linux-based Systems:
- SSH into Your Server:
ssh user@your_server_ip
- Update Package Lists:
sudo apt-get update
- Install the Latest Exim Version:
sudo apt-get install exim4
- Verify the Installation:
exim -bV
Ensure the version displayed is 4.98 or later.
orrectly and the patch has been applied successfully:
sudo systemctl status exim4
Ensure the status shows “active (running)”.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo