Exim Mail Server 21Nails Vulnerability Advisory | May 2021

Newly discovered critical vulnerabilities in the popular Exim mail transfer agent could allow for remote command execution attacks.

Newly discovered critical vulnerabilities in the popular Exim mail transfer agent could allow for remote command execution attacks against those mail servers. Organizations running internet services on Exim are encouraged to patch as soon as possible.

Background

On May 4, 2021, the Qualys Research Team announced that it had discovered multiple critical vulnerabilities in the Exim mail transfer agent (MTA), some of which can be chained together to obtain full remote unauthenticated code execution and gain root privileges. Qualys discovered the 21 security flaws, collectively known as 21Nails, last October and worked with Exim developers to develop patches. All versions released before Exim 4.94.2 are vulnerable.

Exim is a popular and freely available MTA for major Unix-like operating systems and comes pre-installed on Linux distributions such as Debian. An estimated 60% of internet servers run on Exim, and a Shodan search reveals nearly 4 million Exim servers are exposed to the internet.

According to Qualys, MTAs are enticing targets for attackers because they are usually accessible over the internet and, once exploited, attackers can modify email settings and create new accounts on the mail servers. Just last year, another vulnerability in the Exim MTA was a target of Russian threat actors formally known as the sandworm team.

Quick facts:  what you need to know now

  • All Exim versions released before 4.94.2 are vulnerable and should be patched immediately.
  • It is unknown if cyber threat actors are currently exploiting these vulnerabilities. Qualys is not publishing an exploit code, but exploitation in the wild will likely occur soon.

Next Steps for Organizations Using Exim MTA

If your organization uses Exim MTA, you should:

  1. Review the Qualys blog post and the technical details in the security advisory.
  2. Itemize all assets running Exim software. If you are unsure how to do so, Qualys offers their VMDR service for free for 30 days, and it can be used to identify all vulnerable assets.
  3. Upgrade all Exim software to the latest version 4.94.2 (May 4, 2021 patch available here).

Additional Resources