The existence of several unpatched vulnerabilities impacting Exim mail transfer agent (MTA) installations was disclosed last week, more than one year after they were initially reported to developers.
Trend Micro’s Zero Day Initiative (ZDI) learned about six Exim vulnerabilities last year and reported the findings to the MTA software’s developers in June 2022. However, Exim developers have only now started working on patches, with accusations being made by both sides.
Exim, a piece of software used to receive and relay emails, is present on hundreds of thousands of servers. Vulnerabilities affecting the software can be highly valuable to threat actors, which have been known to exploit Exim flaws in their attacks.
ZDI last week released six individual advisories describing the flaws, reported to the company by an anonymous researcher. The most serious of them, rated ‘critical’ and tracked as CVE-2023-42115, can be exploited by a remote, unauthenticated attacker to execute arbitrary code.
Three other flaws, classified as ‘high severity’ and tracked as CVE-2023-42116, CVE-2023-42117 and CVE-2023-42118, can also be exploited for remote code execution without authentication.
The remaining two issues have a lower severity rating and their exploitation can lead to information disclosure.
According to ZDI’s timeline, the vulnerabilities were reported to Exim developers in June 2022 and ZDI reached out for an update in late April 2023, with the bug reports being resent to Exim in May.
ZDI made its advisories public on September 27 and a public discussion regarding the flaws was initiated late last week on the Openwall mailing list.
Exim is working on patches and says they should become available shortly, though there still seems to be some confusion within Exim on what exactly has been reported via ZDI. Developers claim the vulnerabilities can only be exploited if certain features are used.
Exim developers have complained that ZDI failed to provide needed clarifications between its initial report in June 2022 and May 2023.
Some have argued that it has still taken Exim developers a long time to start addressing the flaws, even if it only learned about them in May.
In response to the Exim team’s complaints, ZDI said, “The ZDI reached out multiple times to the developers regarding multiple bug reports with little progress to show for it. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, ‘you do what you do’.”