Exim, the widely used Mail Transfer Agent (MTA) on Unix-like operating systems, faces a critical vulnerability, CVE-2024-39929, with a CVSS score of 9.1. This vulnerability affects Exim releases up to and including version 4.97.1. It allows remote attackers to bypass security filters, delivering malicious executable attachments directly to user inboxes. Immediate action is required to mitigate this threat.
The Vulnerability
CVE-2024-39929 stems from a bug in parsing RFC 2231 headers. This flaw enables attackers to evade filename extension blocking measures, allowing executable attachments to reach end users. If users download or execute these attachments, their systems could be compromised. Censys, a cybersecurity firm, disclosed this vulnerability on July 4, 2024, and detailed its impact on July 10, 2024. The vulnerability exists in Exim versions up to and including 4.97.1.
Impact and Statistics
According to Censys, Exim serves about 74% of the 6.54 million public-facing SMTP mail servers visible to its search engine, with significant concentrations in the United States, Russia, and Canada. Over 1.5 million Exim instances remain unpatched against this critical flaw. As of July 10, 2024, only 82 public-facing servers have updated to the patched release, Exim 4.98.
Exploitation Risks
Although no active exploitation has been reported, the widespread use of Exim MTA makes it a prime target for attackers. Russian cyber actors, such as the GRU’s Sandworm group, have previously exploited Exim vulnerabilities to seize control of mail servers. The National Security Agency (NSA) reported similar tactics in 2020, highlighting the persistent threat from such groups.
Mitigation and Recommendations
To mitigate the risk, cybersecurity administrators should prioritize upgrading to Exim 4.98. The patch fixing this vulnerability is available on Exim’s GitHub repository. Censys provides queries to help administrators identify and address potentially vulnerable Exim instances swiftly.
- Censys Search Query:
services.software: (product="exim" and version: [* to 4.97.1])
- Censys ASM Query:
host.services.software: (product="exim" and version: [* to 4.97.1]) or web_entity.instances.software: (product="exim" and version: [* to 4.97.1])
Admins who cannot immediately upgrade should restrict remote access to their servers from the Internet to block exploitation attempts. Maintaining robust email security through timely updates to MTA software is crucial for preventing potential breaches.
Conclusion
The critical Exim vulnerability CVE-2024-39929 poses a significant threat to email security. With millions of servers potentially exposed, immediate action is essential to protect against potential exploitation. Administrators must upgrade to the latest Exim version and implement recommended security measures to safeguard their systems. Stay vigilant and ensure your email infrastructure remains secure against evolving threats.