Researchers have discovered a critical vulnerability in the Exim mail transfer agent, putting approximately 1.5 million email servers at risk of delivering malware to their users.
Exim is a mail transfer agent (MTA) used in Unix-like operating systems, responsible for routing, delivering, and receiving email messages. As a flexible and highly configurable agent, Exim is a very popular choice among IT teams.
Researchers at security firm Censys have found a vulnerability that hackers can use to bypass protections that typically prevent email messages from sending attachments that can install apps or run code. The vulnerability is known as CVE-2024-39929 and has a severity rating of 9.1/10 (critical).
Not (yet) abused
“I can confirm this bug,” wrote Heiko Schlittermann, a member of the Exim project team, on a bug tracking site. ArsTechnica he reported. “I think this is a serious security issue.”
According to Censys, of the approximately 6.5 million publicly accessible SMTP email servers, 4.8 million use Exim. Additionally, 1.5 million use an older, vulnerable version. So far, there have been no reports of abuse of the vulnerability, but now that it has come to light, it’s only a matter of time before threat actors start scanning the internet for vulnerable instances.
For the attack to work, victims would still need to run the attachment and install the malware. However, threat actors have been running some highly sophisticated social engineering attacks lately, meaning the risk of infection is very real.
With phishing still one of the most popular methods of malware distribution, faulty email servers are a highly valued commodity. For example, in 2020, a Russian state-sponsored threat actor exploited an Exim flaw, discovered almost half a year earlier, to gain access to the email server.
IT teams running Exim should be sure to apply patch 4.98, as this is the first version to be fixed.
