21Nails: Multiple vulnerabilities in Exim | Qualys Security Advisory

by

2021/05/04

Link: qualys.com/2021/05/04/21nails/21nails.txt

Summary

We recently audited central parts of the Exim mail server
(https://en.wikipedia.org/wiki/Exim) and discovered 21 vulnerabilities
(from CVE-2020-28007 to CVE-2020-28026, plus CVE-2021-27216): 11 local
vulnerabilities, and 10 remote vulnerabilities. Unless otherwise noted,
all versions of Exim are affected since at least the beginning of its
Git history, in 2004.

We have not tried to exploit all of these vulnerabilities, but we
successfully exploited 4 LPEs (Local Privilege Escalations) and 3 RCEs
(Remote Code Executions):

- CVE-2020-28007 (LPE, from user "exim" to root);

- CVE-2020-28008 (LPE, from user "exim" to root);

- CVE-2020-28015 (LPE, from any user to root);

- CVE-2020-28012 (LPE, from any user to root, if allow_filter is true);

- CVE-2020-28020 (unauthenticated RCE as "exim", in Exim < 4.92);

- CVE-2020-28018 (unauthenticated RCE as "exim", in 4.90 <= Exim < 4.94,
  if TLS encryption is provided by OpenSSL);

- CVE-2020-28021 (authenticated RCE, as root);

- CVE-2020-28017 is also exploitable (unauthenticated RCE as "exim"),
  but requires more than 25GB of memory in the default configuration.

We will not publish our exploits for now; instead, we encourage other
security researchers to write and publish their own exploits:

- This advisory contains sufficient information to develop reliable
  exploits for these vulnerabilities; in fact, we believe that better
  exploitation methods exist.

- We hope that more security researchers will look into Exim's code and
  report their findings; indeed, we discovered several of these
  vulnerabilities while working on our exploits.

- We will answer (to the best of our abilities) any questions regarding
  these vulnerabilities and exploits on the public "oss-security" list
  (https://oss-security.openwall.org/wiki/mailing-lists/oss-security).

Last-minute note: as explained in the Timeline, we developed a minimal
set of patches for these vulnerabilities; for reference and comparison,
it is attached to this advisory and is also available at
https://www.qualys.com/research/security-advisories/.

Leave a Comment