An audit of the code of the popular Exim mail server revealed 21 vulnerabilities that were previously unknown. Some of these vulnerabilities can be used in conjunction to execute code remotely on the target server, which does not even require authentication.

The developers have already released patches with Exim v4.94.2, advising users to install the update as soon as possible. Moreover, now all versions released before 4.94.2 are deprecated.

The Exim code was audited by a researcher from Qualys, which found more than two dozen vulnerabilities collectively named as «21Nails». Most of the vulnerabilities affect all versions of the mail server.

Ten identified flaws can be exploited remotely, and some bugs even allow an attacker to gain root privileges on attacked systems:

CVE-2020-28017 - Integer overflow in receive_add_recipient();

CVE-2020-28020 - Integer overflow in receive_msg();

CVE-2020-28023 - Out-of-bounds read in smtp_setup_msg();

CVE-2020-28021 - Remote code injection capability;

CVE-2020-28022 - Out-of-bounds read and write in extract_option();

CVE-2020-28026 - injection in spool_read_header();

CVE-2020-28019 - Failure to reset function pointer after BDAT error;

CVE-2020-28024 - buffer underflow in smtp_ungetc();

CVE-2020-28018 - «Use-after-free» flaw in tls-openssl.c;

CVE-2020-28025 - Out-of-bounds read in pdkim_finish_bodyhash().

The other 11 flaws are only exploited locally, most of which are related to default configuration or typical vulnerable configuration. The technical details of the flaws are available on the Qualys website - qualys.com.

Source: anti-malware.ru