Patch Confusion: Tackling the Critical Exim Bug to Secure Email Servers

Disorderly Disclosure Process for Exim Vulnerabilities Raises Concerns

An Overview of the Vulnerabilities and Patch Release

Last week, a disorderly disclosure process led to the release of information on six vulnerabilities in the Exim mail transfer agent. The maintainers of Exim released patches for these vulnerabilities five days after the information was disclosed. Among the vulnerabilities, the most serious one is a critical remote code execution (RCE) vulnerability. The vulnerabilities range from information disclosure issues to the critical RCE bug, which can be exploited through a simple email message with no authentication. The potential risk posed by these vulnerabilities is significant, considering that between 250,000 and 3.5 million Exim servers are currently used by organizations to handle email.

The Risk Posed by Exploiting Exim Vulnerabilities

Mail servers, including Exim, have historically been popular targets for attackers due to their potential for easy exploitation. Attackers aim to compromise sensitive information or misuse the server for malicious activities such as sending spam emails. Exploiting vulnerabilities in Exim provides hackers with a gateway to infiltrate networks and carry out various cyberattacks.

History of Attacks on Exim

Exim and other mail servers have been targeted by attackers in the past due to their vulnerabilities. In 2019, Qualys, a security services firm, discovered a critical vulnerability in Exim with no known exploits at the time. However, by the following year, the National Security Agency warned that the Russia-linked Sandworm group had successfully exploited the vulnerability to compromise organizations. A search for “exim” returns over 3.5 million results, indicating the widespread usage of this software.

Current Status and Potential Exploits

So far, no exploits for the latest vulnerabilities have been released. Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, states that there is no indication of the potential exploitability of these bugs, and they are not aware of any active exploits using these vulnerabilities. Nevertheless, the high number of Exim servers and the popularity of the software make it crucial for organizations to implement the available patches.

The Popularity and Usage of Exim

Exim’s Dominance in Mail Transfer Agents

Exim is the most popular mail transfer agent on the Internet, accounting for 59% of identifiable mail servers. Another notable open-source mail transfer agent, Postfix, ranks second with 149,000 detectable installations. Querying the Shodan scanner reveals a greater number of Exim servers, nearly 3.5 million, including 1.9 million in the US. The popularity of Exim can be attributed to its flexibility, stability, and efficiency in managing diverse email volumes.

Past Exploitations and Known Vulnerabilities

In the past, five vulnerabilities in Exim software between 2010 and 2019 have been exploited by attackers. The 2019 vulnerability targeted by the Sandworm group was successfully exploited to compromise organizations. Additionally, Microsoft Exchange accounts for 15 of the known exploited vulnerabilities tracked by the US Cybersecurity and Infrastructure Security Agency. These statistics highlight the need for proactive measures to address Exim vulnerabilities.

The Challenges with Disclosure and Patching

Disagreements and Delayed Communication

The current disorderly disclosure process highlights underlying issues between the maintainers of Exim and the researchers at the Zero Day Initiative (ZDI). The ZDI reported the vulnerability to the vendor in June 2022 but received little progress. After their disclosure timeline was exceeded by several months, the ZDI decided to publicly disclose the bugs. On the other hand, the Exim maintainers claim that they didn’t receive sufficient answers or information from the ZDI to work on the reported issues.

Poor Patching Practices and Outdated Versions

One of the challenges faced in securing Exim servers is the lack of regular updates. A scan conducted in March revealed that only 14% of Exim servers had the latest software version (4.96) installed. Many instances were found to be running outdated versions, such as 4.84, which dates back to 2014. This lack of patching leaves organizations vulnerable to potential attacks.

Recommendations for Improved Security

To mitigate the risks posed by the disclosed Exim vulnerabilities, organizations are strongly advised to promptly patch their Exim servers to version 4.96.1. Additionally, it is crucial to establish a robust patching process that ensures regular updates for mail servers and other critical software. Organizations should also maintain open lines of communication between researchers and maintainers to address vulnerabilities in a timely manner.

Conclusion

The disorderly disclosure process surrounding the Exim vulnerabilities exposes the challenges faced by organizations in securing their mail servers. The potential risks associated with these vulnerabilities demand immediate action from affected organizations. Proactive patching, open communication channels between researchers and maintainers, and regular software updates are essential in mitigating future vulnerabilities and ensuring the security of critical systems.