Update EXIM 4.94.2 with elimination of 10 remotely exploited vulnerabilities

Published Edition of the mail server Exim 4.99.2 With the elimination of 21 vulnerabilities ( CVE-2020-28007-CVE-2020-2026, CVE-2021-27216), which detected by Qualys and are submitted under the code name 21Nails. 10 problems can be operated remotely (including to execute code with root rights), through manipulations with SMTP commands when interacting with the server.

problems are subject to all versions of Exim, the history of which is tracked in GIT since 2004. For 4 local vulnerabilities and 3 remote problems, operating prototypes of exploits are prepared. Explotes for local vulnerabilities (CVE-2020-28007, CVE-2020-28008, CVE-2020-28015, CVE-2020-28012) allow you to raise your privileges to the root user. Two remote problems (CVE-2020-28020, CVE-2020-28018) allow without authentication to execute code with EXIM user rights (then you can access Root, exploiting one of the local vulnerabilities).

Vulnerability CVE-2020-28021 allows you to immediately remotely execute code with root rights, but requires an authenticated access (the user must set an authenticated session, after which it can operate vulnerability through manipulation with the Auth parameter in the Mail From command). The problem is caused by the fact that the attacker can achieve a string substitution in the header of the Spool file due to the record of the authenticated_sender value without proper screening of special symbols (for example, by passing the command “Mail From: Auth = Raven + 0aareyes”).

additionally notes that another CVE-2020-28017 remote vulnerability is suitable for executing the code with the “Exim” user rights without authentication, but requires more than 25 GB of memory. For the remaining 13 vulnerabilities, exploits can potentially be prepared, but the work in this direction has not yet been carried out.

EXIM developers were notified of the problems in October last year and spent more than 6 months to develop corrections.
All administrators are recommended urgently update Exim on their mail servers to version 4.94.2. All versions of Exim prior to release 4.94.2 declared obsolete (obsolete). The publication of the new version was coordinated with distributions, which simultaneously published package updates: ubuntu , arch Linux , FreeBSD , Debian , SUSE and Fedora . RHEL and CENTOS The problem is not subject to, since Exim is not included in their regular package repository (in EPEL Update while None ).


/Media reports.