A collection of critical vulnerabilities was found in Exim mail server that consisted of twenty-one flaws that can be exploited locally and remotely. some of which when chained together, could allow attackers to execute arbitrary code, modify email settings and configuration, create new accounts, even gain root privilege on affected mail servers with default or common configurations.

Exim is a popular mail transfer agent (MTA) available for us on Unix systems and comes pre-installed on some Linux distributions. Previous vulnerabilities on Exim were targeted by threat actors to gain full remote unauthenticated code execution and gain root privileges on the Exim Server.


A. Nature of the Vulnerabilities

Description of the Vulnerabilities:

Collectively named as ’21Nails’, the flaws include 11 vulnerabilities that require local access to the server and 10 other weaknesses that could be exploited remotely.

Remotely exploitable vulnerabilities:

  • CVE-2021-27216, Arbitrary file deletion
  • CVE-2020-28007, Link attack in Exim’s log directory
  • CVE-2020-28008, Assorted attacks in Exim’s spool directory
  • CVE-2020-28014, Arbitrary file creation and clobbering
  • CVE-2020-28011, Heap buffer overflow in queue_run()
  • CVE-2020-28010, Heap out-of-bounds write in main()
  • CVE-2020-28013, Heap buffer overflow in parse_fix_phrase()
  • CVE-2020-28016, Heap out-of-bounds write in parse_fix_phrase()
  • CVE-2020-28015, New-line injection into spool header file (local)
  • CVE-2020-28012, Missing close-on-exec flag for privileged pipe
  • CVE-2020-28009, Integer overflow in get_stdinput()

Locally exploitable vulnerabilities:

  • CVE-2020-28017, Integer overflow in receive_add_recipient()
  • CVE-2020-28020, Integer overflow in receive_msg()
  • CVE-2020-28023, Out-of-bounds read in smtp_setup_msg()
  • CVE-2020-28021, New-line injection into spool header file )
  • CVE-2020-28022, Heap out-of-bounds read and write in extract_option()
  • CVE-2020-28026, Line truncation and injection in spool_read_header()
  • CVE-2020-28019, Failure to reset function pointer after BDAT error
  • CVE-2020-28024, Heap buffer underflow in smtp_ungetc()
  • CVE-2020-28018, Use-after-free in tls-openssl.c
  • CVE-2020-28025, Heap out-of-bounds read in pdkim_finish_bodyhash()


B. Nature of Vulnerable System

Vulnerable Exim instances are as follows:

  • version 4.94 or lower
  • version 4.94 up to present version


C. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Exim users are urged to immediately update to the latest stable version to mitigate attacks that target the featured vulnerabilities.
  • For Exim users that uses versions older than 4.94, additional procedures must be taken:
    • Users must modify their servers’ configuration to address issues with regards to tainted data.
    • Users must use the exim-4.94.2+taintwarn branch that adds an additional configuration option, “allow_insecure_tainted_data”, that allow users to turn the taint errors into warnings.
    • Do note that this method will not be necessary and will be ignored in future releases of Exim.