This blog contains information about the 21 Nails Exim vulnerabilities. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.
Update May 4, 2021
22:00 | Newly discovered vulnerabilities in the Exim mail transfer agent (MTA) allow attackers to execute code and gain root privilege on servers running Exim. The vulnerabilities together have been named 21Nails because there are 11 locally exploitable weaknesses and 10 remote. This can lead to allow attackers to fully compromise the mailservers.
Direct patching is highly recommended. For systems older than version 4.94 this should be done with some policy, because the configuration of older versions still needs to be adjusted slightly for the update to work. This is because of an extra security measure in version 4.94.2.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
In the Netherlands, just under 180,000 systems are vulnerable (see image below):
The following CVE references belong to this vulnerability. More information:
|CVE-2020-28007||Link aanval in de log directory van Exim||Local|
|CVE-2020-28008||Assorted attacks in Exim’s spool directory||Local|
|CVE-2020-28014||Arbitrary file creation and clobbering||Local|
|CVE-2021-27216||Arbitrary file deletion||Local|
|CVE-2020-28011||Heap buffer overflow in queue_run()||Local|
|CVE-2020-28010||Heap out-of-bounds write in main()||Local|
|CVE-2020-28013||Heap buffer overflow in parse_fix_phrase()||Local|
|CVE-2020-28016||Heap out-of-bounds write in parse_fix_phrase()||Local|
|CVE-2020-28015||New-line injection into spool header file (local)||Local|
|CVE-2020-28012||Missing close-on-exec flag for privileged pipe||Local|
|CVE-2020-28009||Integer overflow in get_stdinput()||Local|
|CVE-2020-28017||Integer overflow in receive_add_recipient()||Remote|
|CVE-2020-28020||Integer overflow in receive_msg()||Remote|
|CVE-2020-28023||Out-of-bounds read in smtp_setup_msg()||Remote|
|CVE-2020-28021||New-line injection into spool header file (remote)||Remote|
|CVE-2020-28022||Heap out-of-bounds read and write in extract_option()||Remote|
|CVE-2020-28026||Line truncation and injection in spool_read_header()||Remote|
|CVE-2020-28019||Failure to reset function pointer after BDAT error||Remote|
|CVE-2020-28024||Heap buffer underflow in smtp_ungetc()||Remote|
|CVE-2020-28018||Use-after-free in tls-openssl.c||Remote|
|CVE-2020-28025||Heap out-of-bounds read in pdkim_finish_bodyhash()||Remote|