Bugs in the popular Exim message transfer agent (MTA) software have exposed hundreds of thousands of systems to remote code execution (RCE).
Since its role is handling email, Exim runs exposed to the internet, meaning that any vulnerability is likely to be exploited.
According to a regular Securityspace survey, there were more than 300,000 Exim servers visible from the internet on October 1.
CVE-2023-42115 is a bug in Exim's simple mail transfer protocol (SMTP) service, which listens to TCP port 25.
The bug allows the attacker to write data past the end of a buffer, and an exploit gives an unauthenticated remote attacker the ability to run code in the context of the SMTP service, giving it a critical-rated CVSS score of 9.8.
The bug was released through the Zero Day Initiative, as one of six zero-day vulnerabilities reported through the scheme.
There were also two high-rated bugs (CVSS score 8.1): CVE-2023-42116, a buffer overflow in its SMTP challenge component; and CVE-2023-42117, a memory corruption bug in the SMTP service that could also give an attacker RCE.
According to this post to the oss-sec mailing list, patches have been made available for three of the bugs and will soon be applied by Exim's maintainers, with Heiko Schlittermann saying the maintainers need more information about the remaining issues.
Exim needed urgent patches twice in 2019 – in June and October – and in 2020, America’s National Security Agency warned the MTA was being targeted by Russian hacking operation Sandworm.
