Threat Update
Developers behind Exim, a highly adopted mail transfer agent (MTA) solution have released a path to resolve 21 vulnerabilities. The developers have pushed this patch out in order to prevent threat actors from taking over servers using multiple attack vectors. It is imperative that this update is installed as soon as possible to prevent malicious threat actors from taking over your email server.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Threat actors can utilize any one of these 21 vulnerabilities to take over the email server. The vulnerabilities, collectively called 21Nails, can be exploited to give an attacker complete control of your server. It includes 11 vulnerabilities that requires local access to the server to exploit, but also 10 bugs that can be exploited remotely across the internet. These vulnerabilities affect all Exim server versions for the past 17 years, since 2004. It includes a variety of overflow and injection attacks.
WHY IS IT NOTEWORTHY?
This is especially noteworthy due to the widespread use of the Exim MTA software. Over 60% of the internet’s email servers use this software to assist in delivering emails. Previously disclosed vulnerabilities and bugs for this software have been widely exploited since 2019. Though written exploits are not widely available on the internet, it s trivial for an attacker to develop reliable exploits based on the advisory released by Qualys.
WHAT IS THE EXPOSURE OR RISK?
Once exploited, threat actors could easily take over these servers. From there, they can maintain persistence and even intercept or tamper with email communications passing through the Exim servers. Any confidential information passing through these systems would be compromised. Furthermore, the attacker could also utilize these servers as an attack vector to further compromise a specific company. For example, an attacker could tamper with email communications to a specific company where a user may or may not click on a malicious link.
WHAT ARE THE RECOMMENDATIONS?
It is imperative that the latest Exim patch is downloaded and installed (Exim version 4.94.) Furthermore, it is also best practice to do the following:
- Maintain a good patching policy for all machines and servers to stay defended against the latest vulnerabilities.
- Install and update SKOUT Endpoint Protection on necessary servers or machines in blocking policy to ensure attackers cannot perform any memory or disk-based exploits.
- Train users to look out for malicious emails and suspicious links that once clicked, may lead to further compromise or credential leaks.
References:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.