21Nails Exim Bugs and Remote Code Execution: Beware
The Qualys Research Team found 10 remotely exploitable and 11 locally security flaws, collectively known as 21Nails. Versions prior to Exim 4.94.2 are vulnerable to attacks exploiting 21Nails.
Exim is a renowned Mail Transfer Agent (MTA) for Unix-like operating systems. A recent survey revealed that almost 60% of such servers run on Exim. Recently, multiple critical flaws were spotted in Exim that can have disastrous consequences for users if not patched.
About the vulnerabilities
The Qualys Research Team found 10 remotely exploitable and 11 locally security flaws, collectively known as 21Nails. Versions released before Exim 4.94.2 are vulnerable to attacks exploiting 21Nails. Furthermore, some of these vulnerabilities can be strung together to execute full remote unauthenticated code execution and obtain root privileges on the Exim server.
Why does it matter?
- MTA mail servers are particularly easy targets as they are readily reachable over the internet, offering attackers an entry point to the target network.
- Once abused, researchers warned, adversaries can alter email settings on Exim and create new accounts on the mail servers.
- As per a Shodan search, nearly four million Exim servers are exposed on the internet.
Previous Exim vulnerabilities
Exim is the most widely used MTA software due to its efficacy and customizability. However, it has also been the target of various attacks.
- Last year May, the NSA warned about the Sandworm Russian threat actor exploiting a critical flaw (CVE-2019-10149) in Exim.
- In June 2019, the same flaw was being targeted by an active Linux worm. This flaw could allow attackers to hack Azure servers.
The bottom line
Patch your Exim servers as soon as possible. Email servers have become a lucrative target for cyber spies. Learning from the recent Microsoft Exchange Server breaches, it is crucial that the security patches are applied asap.