Exim mail servers left open to zero-day attacks for over a year

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

A major flaw in Exim’s mail transfer agent (MTA) software has been detected that has gone without a patch for more than a year.

Researchers from Trend Micro’s Zero Day Initiative were tipped off by an anonymous researcher in June last year, about an out-of-bounds write weakness discovered in the SMTP service, BleepingComputer reported.

Exim is an MTA that runs in the background of email servers, and hackers can use it to run malware on vulnerable endpoints.

Used by Russian hackers

That vulnerability is being tracked as CVE-2023-42115, and can be used to crash software and corrupt valuable data, but more importantly - it can be used to run malicious code on vulnerable servers.

Exim was reportedly first notified about the flaw in June 2022, and then again in May 2023, but apparently to no avail. Given Exim’s failure to address it, Trend Micro Zero Day Initiative has now published an advisory describing the flaw, and detailing its discussion with Exim over the months.

According to BleepingComputer, MTA servers like Exim are a popular target among hackers as they can be accessed remotely and used to move into the wider corporate network. It’s also apparently the “world’s most popular MTA software, installed on more than 56% of 602,000 internet-connected mail servers” (342,000). This is mostly because it comes bundled with many popular Linux distros including Debian and Red Hat.

Three years ago, Sandworm (a Russian state-sponsored threat actor) was using a flaw found in Exim to infiltrate endpoints, the NSA warned at the time.

“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA said.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.