Exim patches three of six zero-day bugs disclosed last week


Exim developers have released patches for three of the zero-days disclosed last week through Trend Micro’s Zero Day Initiative (ZDI), one of them allowing unauthenticated attackers to gain remote code execution.

Discovered by an anonymous security researcher, the security flaw (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service and can be exploited by remote unauthenticated attackers to execute code in the context of the service account.

“The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer,” ZDI’s advisory explains.

“Fix a possible OOB write in the external authenticator, which could be triggered by externally-supplied input,” the Exim development team says in the changelog of version 4.96.1, released today.

Today, the Exim team also patched an RCE bug (CVE-2023-42114) and an information disclosure vulnerability (CVE-2023-42116).

As Exim developer Heiko Schlittermann revealed on the Open Source Security (oss-sec) mailing list on Friday, today’s fixes were already “available in a protected repository” and “ready to be applied by the distribution maintainers.”

The list of zero-day vulnerabilities that remain to be fixed includes:

Not “a world-ending catastrophe”

While tagged with a 9.8/10 severity score by the ZDI team, Exim says the successful exploitation of CVE-2023-42115—the most severe of the six zero-days disclosed by ZDI last week—is dependent on the use of external authentication on the targeted servers.

Even though 3.5 million Exim servers are exposed online, according to Shodan, this requirement drastically reduces the number of Exim mail servers potentially vulnerable to attacks.

An analysis of the six zero-days by watchTowr Labs confirms Exim’s take on the severity of these zero-days as they “require a very specific environment to be accessible.”

watchTowr Labs also provided a list of all configuration requirements on vulnerable Exim servers needed for successful exploitation:

CVE CVSS Requirements
CVE-2023-42115 9.8 “External” authentication scheme configured and available
CVE-2023-42116 8.1 “SPA” module (used for NTLM auth) configured and available
CVE-2023-42117 8.1 Exim Proxy (different to a SOCKS or HTTP proxy) in use with untrusted proxy server
CVE-2023-42118 7.5 “SPF” condition used in an ACL
CVE-2023-42114 3.7 “SPA” module (used for NTLM auth) configured to auth the Exim server to an upstream server
CVE-2023-42119 3.1 An untrusted DNS resolver

“Most of us don’t need to worry. If you’re one of the unlucky ones who uses one of the listed features though, you’ll be keen to get more information before undertaking ZDI’s advice to ‘restrict interaction with the application’,” watchTowr researcher Aliz Hammond said.

“So, our advice is the usual – patch when you can, once patches are available [..] But in the meantime, don’t panic – this one is more of a damp squib than a world-ending catastrophe.”



Source link