Critical Exim vulnerability facilitates malware delivery (CVE-2024-39929)
The maintainers of the Exim mail transfer agent (MTA) have fixed a critical vulnerability (CVE-2024-39929) that currently affects around 1.5 million public-facing servers and can help attackers deliver malware to users.
About CVE-2024-39929
The vulnerability stems from a bug in RFC 2231 header parsing, and may allow remote attackers to bypass protection measures and deliver executable attachments directly to end-users’ mailboxes.
“This bug can be a potential security issue for users that have implemented a extension block list via matching with $mime_filename, because the filename is not parsed correctly and omits the relevant last part of the filename,” Phillip Szelat, the researcher that discovered the flaw, explained.
The users themselves have to download/run the malicious attachment(s) for anything to happen. Nevertheless, the vulnerability makes it more likely if malicious attachments aren’t blocked before being delivered and attackers make use of clever social engineering tricks.
CVE-2024-39929 affects Exim releases up to and including 4.97.1, and has been fixed in Exim v4.98, which was released last week.
PoC is available
Exim is included by default on most Unix-like operating systems and is, in fact, the most widely used mail transfer agent out there.
According to Censys, of the 6,540,044 public-facing SMTP mail servers the company’s sees via its search engine, nearly 75% (4,830,719) are running Exim.
“As of July 10, 2024, Censys observes 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier), concentrated mostly in the United States, Russia, and Canada,” the company shared. “A PoC [for CVE-2024-39929] is available, but no active exploitation is known yet.”
Exim 4.98 is available as tarball and via Git (as a Git repo).
Linux distributions are working on releasing or have already released updated exim4 packages carrying the fix. Admins should upgrade to the latest version as soon as possible.
“All versions of Exim previous to version 4.98 are now obsolete. The last 3.x release was 3.36. It is twenty years obsolete and should not be used,” Exim maintainers also noted.
Vulnerabilities in Exim are often found and privately disclosed by security researchers, and occasionally exploited by attackers.