The Qualys Research Team (QRT) has discovered multiple vulnerabilities in the Exim mail server, some of the which can be chained together and have devastating impact via full remote unauthenticated code execution to gain root privileges. The name “21Nails” is a pun intended on vulnerabilities in a “Mail” transfer agent, corresponding to each CVE listed in below summary.
Last fall, QRT engaged in a thorough code audit of Exim and discovered 21 unique vulnerabilities. 10 of these vulnerabilities can be exploited remotely to gain root privileges and 11 can be exploited locally; while most of them can be exploited in either default configuration or in a very common configuration. Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim server. One of the vulnerabilities (CVE-2020-28017) discovered by QRT affects all the versions of Exim going back all the way to 2004.
In the past, prior to the pandemic year, the same product was exploited rigorously by Russian cyber actors, well known as the sandworm team.
Here is a quick summary of the vulnerabilities discovered by QRT:
| Sr.No. | CVE | Name | Type |
| 1 | CVE-2020-28007 | Link attack in Exim’s log directory | Local |
| 2 | CVE-2020-28008 | Assorted attacks in Exim’s spool directory | Local |
| 3 | CVE-2020-28014 | Arbitrary file creation and clobbering | Local |
| 4 | CVE-2021-27216 | Arbitrary file deletion | Local |
| 5 | CVE-2020-28011 | Heap buffer overflow in queue_run() | Local |
| 6 | CVE-2020-28010 | Heap out-of-bounds write in main() | Local |
| 7 | CVE-2020-28013 | Heap buffer overflow in parse_fix_phrase() | Local |
| 8 | CVE-2020-28016 | Heap out-of-bounds write in parse_fix_phrase() | Local |
| 9 | CVE-2020-28015 | New-line injection into spool header file (local) | Local |
| 10 | CVE-2020-28012 | Missing close-on-exec flag for privileged pipe | Local |
| 11 | CVE-2020-28009 | Integer overflow in get_stdinput() | Local |
| 12 | CVE-2020-28017 | Integer overflow in receive_add_recipient() | Remote |
| 13 | CVE-2020-28020 | Integer overflow in receive_msg() | Remote |
| 14 | CVE-2020-28023 | Out-of-bounds read in smtp_setup_msg() | Remote |
| 15 | CVE-2020-28021 | New-line injection into spool header file (remote) | Remote |
| 16 | CVE-2020-28022 | Heap out-of-bounds read and write in extract_option() | Remote |
| 17 | CVE-2020-28026 | Line truncation and injection in spool_read_header() | Remote |
| 18 | CVE-2020-28019 | Failure to reset function pointer after BDAT error | Remote |
| 19 | CVE-2020-28024 | Heap buffer underflow in smtp_ungetc() | Remote |
| 20 | CVE-2020-28018 | Use-after-free in tls-openssl.c | Remote |
| 21 | CVE-2020-28025 | Heap out-of-bounds read in pdkim_finish_bodyhash() | Remote |
QRT has come up with a PoC video presentation.
Affected Devices
Exim Mail Server prior to 4.94.2 are vulnerable.
Mitigations
Qualys recommends security teams to apply patches for these vulnerabilities as soon as possible.
Qualys Detection
Qualys customers can scan their network with QID 50110 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References and Sources