Exim Security Flaw Affects Millions Of Email Servers

Credit: ShutterstockCredit: ShutterstockThe team behind Exim revealed that a bug in its email server software is currently exposing millions of email servers around the world to potential attacks. Exim is a mail transfer agent (MTA) that runs in the background of email servers. It aids in the sending and receiving of email messages and helps servers act as relays for other users’ emails. All versions of Exim up to and including version 4.92.1 are affected.

The Exim team said in a recent advisory that anyone who is currently running Exim over TLS connections is vulnerable. According to the developers, the bug is unrelated to the TLS libraries (usually a source of similar bugs), so all Exim email servers are impacted, regardless of the TLS library they use.

If the server uses TLS, then an attacker could send a Server Name Identification (SNI) ending in a backslash-null sequence during the initial TLS handshake. This would allow both local or remote attackers to run malicious code with root privileges.

Mitigations

A security researcher called “Zerons” first alerted the Exim team about the bug in July, at which point the Exim developers started working on a patch. The team has already issued the patch and started to alert the community of email server owners about the bug at the beginning of September. 

Some platform vendors, such as the makers of the popular cPanel software for hosting servers, have already integrated the patch into their offering. Many other owners of email servers will have to patch it manually or else remain exposed to attacks.

A temporary alternative to patching would be to disable TLS encryption for emails and send users’ emails in the plaintext over the Internet. However, besides risking the potentially sensitive information of customers being sniffed from networks by malicious parties, it could also bring charges against the companies that do so over improper handling of private data, under the EU's General Data Protection Regulation (GDPR).