21Nails: Multiple Critical Vulnerabilities in Exim Mail Server

The Qualys Research Team has discovered multiple critical vulnerabilities in the Exim mail server, some of the which can be chained together to obtain full remote unauthenticated code execution and gain root privileges. The 21Nails vulnerabilities, if left unpatched, could allow threat actors to take over these systems and then intercept or tamper with email communications passing through the Exim server.

11 issues are local vulnerabilities, while 10 of them could be remotely exploited, experts pointed out all Exim server versions released since2004 are affected.

Local vulnerabilities
– CVE-2020-28007: Link attack in Exim’s log directory
– CVE-2020-28008: Assorted attacks in Exim’s spool directory
– CVE-2020-28014: Arbitrary file creation and clobbering
– CVE-2021-27216: Arbitrary file deletion
– CVE-2020-28011: Heap buffer overflow in queue_run()
– CVE-2020-28010: Heap out-of-bounds write in main()
– CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
– CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
– CVE-2020-28015: New-line injection into spool header file (local)
– CVE-2020-28012: Missing close-on-exec flag for privileged pipe
– CVE-2020-28009: Integer overflow in get_stdinput()

Remote vulnerabilities
– CVE-2020-28017: Integer overflow in receive_add_recipient()
– CVE-2020-28020: Integer overflow in receive_msg()
– CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
– CVE-2020-28021: New-line injection into spool header file (remote)
– CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
– CVE-2020-28026: Line truncation and injection in spool_read_header()
– CVE-2020-28019: Failure to reset function pointer after BDAT error
– CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
– CVE-2020-28018: Use-after-free in tls-openssl.c
– CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()


Solution
Upgrade to Exim 4.94.2 or later.

Reference:
https://www.exim.org/static/doc/security/CVE-2020-qualys/
https://www.qualys.com/2021/05/04/21nails/21nails.txt
https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
https://securityaffairs.co/wordpress/117522/security/exim-email-servers-21nails-flaws.html

Share