A security bug has been discovered in millions of Exim servers that could be exploited to give potential attackers the ability to run malicious code with root privileges.
The Exim team revealed in a recent advisory that all of its servers running version 4.92.1 or lower are vulnerable though the company has released version 4.92.2 to address the vulnerability.
If you’re unfamiliar with Exim, the software is a mail transfer agent (MTA) that runs in the background of email servers. In addition to helping send and receive messages, email servers also serve as relays for other user’s emails and MTA helps handle this.
Exim is currently the most popular MTA today and a big reason for this stems from the fact that the software is bundled with many popular Linux distros including Debian and Red Hat.
If an Exim server is configured to accept incoming TLS connections, an attacker can send a malicious backslash-null sequence attached to the ending of an SNI packet and this would allow them to run malicious code with root privileges.
A security researcher named Zerons first discovered the issue and reported it to Exim in early July. Since then, the company has secretly worked to patch the vulnerability because of its seriousness and how many of its servers could be vulnerable to a potential attack.
Luckily the vulnerability can be mitigated by disabling TLS support on all Exim servers though this fix does expose email traffic in cleartext which makes it vulnerable to being intercepted as well as to sniffing attacks. However, if you own an Exim server and live in the EU, this fix is not recommended as it could lead to data leaks and fines under GDPR.
Exim installations do not have TLS support enabled by default though Exim instances that are included with Linux distros do. Additionally, Exim instances that ship with cPanel also support TLS by default but cPanel has already integrated the Exim patch into an update they’ve begun to roll out to customers.
If you’re unsure of the TLS status of your Exim servers, it is highly recommended that you install the Exim patch as this is the only way to fully prevent the vulnerability from being exploited on your server.