Exim vulnerability threatens security of 1.5 million mail servers

Security researchers have discovered a critical vulnerability in the popular server-based email client Exim that allows attackers to bypass security and send malicious attachments. More than 1.5 million servers around the world are at risk.

Image Source: Aaron McLean / Unsplash

Cybersecurity experts identified 10 days ago a serious vulnerability in Exim software, one of the most common mail servers in the world, Ars Technica reports. The vulnerability, identified as CVE-2024-39929, allows attackers to bypass standard security mechanisms and send emails with executable attachments that can pose a serious threat to end users.

According to cyber threat intelligence company Censys, of the more than 6.5 million public SMTP servers currently on the Internet, 4.8 million (about 74%) are running Exim. More than 1.5 million Exim servers (approximately 31%) use vulnerable versions of the software.

The vulnerability, CVE-2024-39929, is rated 9.1 out of 10 on the CVSS severity scale and is due to an error in the handling of multi-line headers described in RFC 2231. Heiko Schlittermann, a member of the Exim development team, has confirmed the vulnerability. vulnerability, calling it a “major security issue.”

While there are currently no reports of active exploitation of the bug, experts warn of a high likelihood of targeted attacks in the near future. They recalled a 2020 case in which the hacker group Sandworm exploited another vulnerability in Exim (CVE-2019-10149) to launch massive attacks on servers.

Although a successful attack requires the end user to launch a malicious attachment, experts emphasize that social engineering techniques remain one of the most effective ways to compromise systems. Experts recommend that Exim server administrators update their software to the latest version as soon as possible to protect their systems from potential attacks.

The CVE-2024-39929 vulnerability is present in all versions of Exim up to and including 4.97.1. The fix is ​​available in Release Candidate 3 version 4.98.