Critical Exim Bug Bypasses Security Filters on 1.5 Million Mail Servers
Summary:
Last Wednesday, a critical vulnerability was patched in Exim, a free mail transfer agent (MTA) that’s widely used on Unix-like operating systems. Tracked as CVE-2024-29929, the vulnerability pertains to an incorrect parsing of multiline RFC2231 header filenames, allowing threat actors to remotely deliver malicious executable attachments into end users' mailboxes by circumventing the $mime_filename extension-blocking protection mechanism. CVE-2024-39929 impacts Exim releases up to and including version 4.97.1 and has been patched in version 4.98. According to a scan conducted by Censys, there are 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier, majority of which reside in the United States, followed by Russia and Canada.
Security Officer Comments:
There is currently no evidence of active exploitation attempts in the wild. However, a POC has been released which may pave the way for such attacks. The exploitation of CVE-2024-39929 could enable an actor to bypass security checks based on file extensions, thus allowing them to deliver files into their target’s mailboxes that are normally blocked including executables. Given that recipients would still need to open these files for the successful exploitation of CVE-2024-29929, end users should be on the lookout for emails from unknown senders requesting to click on an attachment.
Suggested Corrections:
Users should update to the latest version of Exim, 4.98. Those unable to immediately upgrade Exim are advised to restrict remote access to their servers from the Internet to block incoming exploitation attempts. Censys has also published a couple of queries that can be used to identify Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE:
https://censys.com/cve-2024-39929/
Link(s):
https://www.bleepingcomputer.com/ne...-security-filters-on-15-million-mail-servers/
Last Wednesday, a critical vulnerability was patched in Exim, a free mail transfer agent (MTA) that’s widely used on Unix-like operating systems. Tracked as CVE-2024-29929, the vulnerability pertains to an incorrect parsing of multiline RFC2231 header filenames, allowing threat actors to remotely deliver malicious executable attachments into end users' mailboxes by circumventing the $mime_filename extension-blocking protection mechanism. CVE-2024-39929 impacts Exim releases up to and including version 4.97.1 and has been patched in version 4.98. According to a scan conducted by Censys, there are 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier, majority of which reside in the United States, followed by Russia and Canada.
Security Officer Comments:
There is currently no evidence of active exploitation attempts in the wild. However, a POC has been released which may pave the way for such attacks. The exploitation of CVE-2024-39929 could enable an actor to bypass security checks based on file extensions, thus allowing them to deliver files into their target’s mailboxes that are normally blocked including executables. Given that recipients would still need to open these files for the successful exploitation of CVE-2024-29929, end users should be on the lookout for emails from unknown senders requesting to click on an attachment.
Suggested Corrections:
Users should update to the latest version of Exim, 4.98. Those unable to immediately upgrade Exim are advised to restrict remote access to their servers from the Internet to block incoming exploitation attempts. Censys has also published a couple of queries that can be used to identify Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE:
https://censys.com/cve-2024-39929/
Link(s):
https://www.bleepingcomputer.com/ne...-security-filters-on-15-million-mail-servers/