21 Nails: Exim Mail Server Multiple Vulnerabilities

The Qualys Research Team (QRT) has discovered multiple vulnerabilities in the Exim mail server, some of the which can be chained together and have devastating impact via full remote unauthenticated code execution to gain root privileges. The name “21Nails” is a pun intended on vulnerabilities in a “Mail” transfer agent, corresponding to each CVE listed in below summary.

Last fall, QRT engaged in a thorough code audit of Exim and discovered 21 unique vulnerabilities. 10 of these vulnerabilities can be exploited remotely to gain root privileges and 11 can be exploited locally; while most of them can be exploited in either default configuration or in a very common configuration. Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim server.  One of the vulnerabilities (CVE-2020-28017) discovered by QRT affects all the versions of Exim going back all the way to 2004.

In the past, prior to the pandemic year, the same product was exploited rigorously by Russian cyber actors, well known as the sandworm team.

Here is a quick summary of the vulnerabilities discovered by QRT:

Sr.No. CVE Name Type
1 CVE-2020-28007 Link attack in Exim’s log directory Local
2 CVE-2020-28008 Assorted attacks in Exim’s spool directory Local
3 CVE-2020-28014 Arbitrary file creation and clobbering Local
4 CVE-2021-27216 Arbitrary file deletion Local
5 CVE-2020-28011 Heap buffer overflow in queue_run() Local
6 CVE-2020-28010 Heap out-of-bounds write in main() Local
7 CVE-2020-28013 Heap buffer overflow in parse_fix_phrase() Local
8 CVE-2020-28016 Heap out-of-bounds write in parse_fix_phrase() Local
9 CVE-2020-28015 New-line injection into spool header file (local) Local
10 CVE-2020-28012 Missing close-on-exec flag for privileged pipe Local
11 CVE-2020-28009 Integer overflow in get_stdinput() Local
12 CVE-2020-28017 Integer overflow in receive_add_recipient() Remote
13 CVE-2020-28020 Integer overflow in receive_msg() Remote
14 CVE-2020-28023 Out-of-bounds read in smtp_setup_msg() Remote
15 CVE-2020-28021 New-line injection into spool header file (remote) Remote
16 CVE-2020-28022 Heap out-of-bounds read and write in extract_option() Remote
17 CVE-2020-28026 Line truncation and injection in spool_read_header() Remote
18 CVE-2020-28019 Failure to reset function pointer after BDAT error Remote
19 CVE-2020-28024 Heap buffer underflow in smtp_ungetc() Remote
20 CVE-2020-28018 Use-after-free in tls-openssl.c Remote
21 CVE-2020-28025 Heap out-of-bounds read in pdkim_finish_bodyhash() Remote

QRT has come up with a PoC video presentation.

Affected Devices

Exim Mail Server prior to 4.94.2 are vulnerable.


Qualys recommends security teams to apply patches for these vulnerabilities as soon as possible.

Qualys Detection

Qualys customers can scan their network with QID 50110 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References and Sources







Leave a Reply

Your email address will not be published. Required fields are marked *