Censys warns that over 1.5 million Exim mail switch agent (MTA) situations are unpatched in opposition to a important vulnerability that lets menace actors bypass safety filters.
Tracked as CVE-2024-39929 and patched by Exim builders on Wednesday, the safety flaw impacts Exim releases as much as and together with model 4.97.1.
The vulnerability is as a result of incorrect parsing of multiline RFC2231 header filenames, which might let distant attackers ship malicious executable attachments into finish customers’ mailboxes by circumventing the $mime_filename extension-blocking safety mechanism.
“If a person have been to obtain or run certainly one of these malicious information, the system might be compromised,” Censys warned, including that “a PoC is obtainable, however no energetic exploitation is understood but.”
“As of July 10, 2024, Censys observes 1,567,109 publicly uncovered Exim servers working a probably weak model (4.97.1 or earlier), concentrated largely in america, Russia, and Canada,” the corporate added.
Whereas e-mail recipients will nonetheless have to launch the malicious attachment to be affected, the flaw permits menace actors to bypass safety checks primarily based on file extensions. This enables them to ship dangerous information which are usually blocked, similar to executables, into their targets’ mailboxes.
Admins who can not instantly improve Exim are suggested to limit distant entry to their servers from the Web to dam incoming exploitation makes an attempt.
Tens of millions of servers uncovered on-line
MTA servers, similar to Exim, are sometimes focused in assaults as a result of they’re nearly at all times accessible by way of the Web, making them straightforward to seek out potential entry factors right into a goal’s community.
Exim can be the default Debian Linux MTA and is the world’s hottest MTA software program, primarily based on a mail server survey from earlier this month.
Based on the survey, over 59% of the 409,255 mail servers reachable on the Web in the course of the survey have been working Exim, representing simply over 241,000 Exim situations.
Additionally, per a Shodan search, over 3.3 million Exim servers are presently uncovered on-line, most in america, adopted by Russia and the Netherlands. Censys discovered 6,540,044 public-facing mail servers on-line, 4,830,719 (roughly 74%) working Exim.
The Nationwide Safety Company (NSA) revealed in Might 2020 that the infamous Russian navy hacking group Sandworm has been exploiting a important CVE-2019-10149 Exim flaw (dubbed The Return of the WIZard) since not less than August 2019.
Extra not too long ago, in October, the Exim devs patched three zero-days disclosed by Pattern Micro’s Zero Day Initiative (ZDI), certainly one of them (CVE-2023-42115) exposing hundreds of thousands of Web-exposed Exim servers to pre-auth RCE assaults.
