Alex - stock.adobe.com
Trend Micro's Zero Day Initiative disclosed six zero-day vulnerabilities in the popular mail transfer agent Exim last week, three of which remain unpatched as of Monday.
The vulnerabilities, which were discovered by an anonymous researcher, were first reported by Zero Day Initiative (ZDI) to the Openwall Project in June 2022. ZDI disclosed the zero days in six separate advisories last Wednesday that emphasized restricting interaction with applications as the only mitigation strategy at that point. The advisories also warned that no authentication is required for exploitation.
The most critical of the six vulnerabilities was an out-of-bounds write remote code execution vulnerability, tracked as CVE-2023-42115, that received a critical CVSS score of 9.8. According to the advisory, the improper validation flaw exists in the Simple Mail Transfer Protocol, which is used to send and receive emails. It remains unclear if the zero-day vulnerabilities are being actively exploited.
"An attacker can leverage this vulnerability to execute code in the context of the service account," ZDI wrote in the advisory.
Openwall released patches for three of the vulnerabilities, including CVE-2023-42115 on Friday but other zero days remain unpatched. Recommended mitigation for CVE-2023-42118, which received a CVSS score of 7.5, is "do not use the 'spf' condition in your ACL." There is no fix for low-scoring CVE-2023-42119 and Exim said it is still under consideration. Although CVE-2023-42117 received an 8.1. CVSS score, no fix has been released yet.
Disclosure timeline questions
In all the advisories, ZDI confirmed it reported the vulnerabilities to Openwall Project on June 14, 2022, and published a coordinated public release on Sept. 27. However, the timeline in between presented some problems. ZDI said it requested an update on April 25, but Openwall asked for the reports to be re-sent. ZDI re-sent the reports, then asked for an update five months later and informed Exim that it would publish a zero-day advisory on Sept. 27.
Two days later, Exim developer Heiko Schlittermann published an email through open source software organization Openwall Project that raised questions about ZDI's disclosure timeline. Schlittermann confirmed that while patches for three of the six flaws -- including CVE-2023-42115 -- were available, it's not entirely clear when they were completed.
"The ZDI contacted us in June 2022. We asked about details but didn't get answers we were able to work with," Schlittermann wrote in the email. "Next contact with ZDI was in May 2023. Right after this contact we created a project bug tracker for 3 of the 6 issues. Fixes are available in a protected repository and are ready to be applied by the distribution maintainers. The remaining issues are debatable or miss information we need to fix them."
In an exchange on the Open Source Security List Sept. 29, a ZDI representative responded to Schlittermann's criticisms. The spokesperson said ZDI contacted Exim developers "multiple times," but responses and progress were slow.
"After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, 'you do what you do,'" ZDI wrote in the exchange. "If these bugs have been appropriately addressed, we will update our advisories with a link to the security advisory, code check-in, or other public documentation closing the issue."
On its website, Exim urged users to update to the most current version, 4.96.1. In another email on Openwall, Schlittermann apologized to users for any inconvenience.
The six zero days are the latest example of multiple vulnerabilities existing in Exim message transfer agent software. While patches are available, it's unclear how quickly users will act. In 2020, the National Security Agency published an advisory that the Russian threat group Sandworm was actively exploiting a known Exim vulnerability that was first disclosed and patched in 2019.
Heiko Schlittermann and Openwall Project did not respond to requests for comment at press time.
A ZDI spokesperson sent the following statement to TechTarget Editorial: "The ZDI reached out multiple times to the developers regarding multiple bug reports with little progress to show for it. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs. We will update our advisories with a link to the security advisory, code check-in, or other public documentation closing the issue when the developers provides us with that information. "
Arielle Waldman is a Boston-based reporter covering enterprise security news.