National Cyber Warfare Foundation (NCWF) Forums


Critical flaw in Exim MTA could allow to deliver malware to users’ inboxes
0 user ratings		2024-07-12 19:47:04
milo
Blue Team (CND)
A critical vulnerability in Exim mail server allows attackers to deliver malicious executable attachments to mailboxes. Attackers can exploit a critical security flaw, tracked as CVE-2024-39929 (CVSS score of 9.1), in the Exim mail transfer agent to deliver malicious attachments to target users’ inboxes. Exim is a widely used Mail Transfer Agent (MTA) designed to […


A critical vulnerability in Exim mail server allows attackers to deliver malicious executable attachments to mailboxes.





Attackers can exploit a critical security flaw, tracked as CVE-2024-39929 (CVSS score of 9.1), in the Exim mail transfer agent to deliver malicious attachments to target users’ inboxes.





Exim is a widely used Mail Transfer Agent (MTA) designed to route, deliver, and receive email messages. Developed initially for Unix-like systems, Exim is known for its flexibility and configurability, allowing administrators to customize its behavior extensively through configuration files.





Exim versions up to 4.97.1 are affected by a vulnerability that misinterprets multiline RFC 2231 header filenames. This flaw allows remote attackers to bypass the $mime_filename extension-blocking protection, potentially delivering executable attachments to user mailboxes.





The vulnerability, tracked as CVE-2024-39929, has a CVSS score of 9.1 out of 10.0. It has been addressed in version 4.98.





“Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users,” read the advisory.





According to cyber security firm Censys, there are 6,540,044 public-facing SMTP mail servers and 4,830,719 (~74%) are running Exim.





Censys researchers state that a proof of concept (PoC) exploit for this issue exists, but there are no known active exploitations yet.





“As of July 10, 2024, Censys observes 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier), concentrated mostly in the United States, Russia, and Canada. So far, 82 public-facing servers show indications of running a patched release of 4.98.” reads the report published by Censys.





The firm released a set of queries that allow identifying Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE.





Pierluigi Paganini





Follow me on Twitter: @securityaffairs and Facebook and Mastodon





(SecurityAffairs – hacking, malware)



Source: SecurityAffairs
Source Link: https://securityaffairs.com/165649/hacking/critical-flaw-exim-mta.html

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.