On May 4, 2021, Qualys released a security advisory detailing the discovery and coordinated disclosure of 21 vulnerabilities in the Exim mail server. These vulnerabilities – starting with CVE-2020-27216 and running from CVE-2020-28007 to CVE-2020-28026 – include both remote code execution (RCE) and local privilege escalations. No exploits are known to be currently public or have been observed in the wild.
A patch that addresses these vulnerabilities is available, and customers running Exim within their environments are urged to update immediately. For more information, refer to Recommendations for Mitigation.
Vulnerability Description
Discovered and dubbed as “21Nails” by the Qualys Research Team, these vulnerabilities affect all versions of Exim before 4.94.2 going back to 2004. Of the 21 assigned CVEs, 10 are remotely exploitable – including unauthenticated code execution – while the remaining 11 are local and include privilege escalation to the root user.
Taken from Qualys’ Security Advisory, the CVEs and their descriptions are as follows:
Remote vulnerabilities
CVE Number |
Description |
CVE-2020-28017 |
Integer overflow in receive_add_recipient() |
CVE-2020-28018 |
Use-after-free in tls-openssl.c |
CVE-2020-28019 |
Failure to reset function pointer after BDAT error |
CVE-2020-28020 |
Integer overflow in receive_msg() |
CVE-2020-28021 |
New-line injection into spool header file (remote) |
CVE-2020-28022 |
Heap out-of-bounds read and write in extract_option() |
CVE-2020-28023 |
Out-of-bounds read in smtp_setup_msg() |
CVE-2020-28024 |
Heap buffer underflow in smtp_ungetc() |
CVE-2020-28025 |
Heap out-of-bounds read in pdkim_finish_bodyhash() |
CVE-2020-28026 |
Line truncation and injection in spool_read_header() |
Local vulnerabilities
CVE Number |
Description |
CVE-2020-28007 |
Link attack in Exim's log directory |
CVE-2020-28008 |
Assorted attacks in Exim's spool directory |
CVE-2020-28009 |
Integer overflow in get_stdinput() |
CVE-2020-28010 |
Heap out-of-bounds write in main() |
CVE-2020-28011 |
Heap buffer overflow in queue_run() |
CVE-2020-28012 |
Missing close-on-exec flag for privileged pipe |
CVE-2020-28013 |
Heap buffer overflow in parse_fix_phrase() |
CVE-2020-28014 |
Arbitrary file creation and clobbering |
CVE-2020-28015 |
New-line injection into spool header file (local) |
CVE-2020-28016 |
Heap out-of-bounds write in parse_fix_phrase() |
CVE-2021-27216 |
Arbitrary file deletion |
Chained together, these vulnerabilities can allow for unauthenticated RCE and gaining of root user permissions. While Qualys notes that they did not develop exploits for all the above CVEs, they do believe enough information exists for proof of concepts to be developed.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has released unauthenticated scan coverage to identify these vulnerabilities in protected assets.
Network IDS: Alert Logic has deployed IDS signatures for CVE-2020-28019, CVE-2020-28020, and CVE-2020-28021 to detect attacks targeted at exploiting these CVEs. We are continuing to investigate the other CVEs related to this threat for development of new IDS signatures.
Web Application Firewall: Alert Logic is actively researching these vulnerabilities for development of web application coverage.
Log Management: Alert Logic is actively researching these vulnerabilities to determine whether log detection is appropriate.
Recommendations for Mitigation
Exim has released a patch to remediate these vulnerabilities, per a security release. These vulnerabilities affect all versions of Exim before 4.94.2 going back to 2004. It is recommended that all customers running Exim apply the exim-4.94.2 patch as soon as possible.
Updates
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.
05/06/2021: Alert Logic released unauthenticated scan coverage to identify these vulnerabilities in protected assets.
05/07/2021: Alert Logic deployed IDS signatures for CVE-2020-28019, CVE-2020-28020, and CVE-2020-28021 to detect attacks targeted at exploiting these CVEs. We are continuing to investigate the other CVEs related to this threat for development of new IDS signatures.
Additional Information
Qualys Security Advisory: https://www.qualys.com/2021/05/04/21nails/21nails.txt
Exim patch information: https://www.openwall.com/lists/oss-security/2021/05/04/6
Comments
2 comments
On May 6, 2021, Alert Logic released unauthenticated scan coverage to identify these vulnerabilities in protected assets.
On May 7, 2021, Alert Logic deployed IDS signatures for CVE-2020-28019, CVE-2020-28020, and CVE-2020-28021 to detect attacks targeted at exploiting these CVEs.
Please sign in to leave a comment.