The release of the Exim 4.94.2 mail server has been published, fixing 21 vulnerabilities (CVE-2020-28007-CVE-2020-28026, CVE-2021-27216) identified by Qualys and codenamed 21Nails. 10 problems can be exploited remotely (including for executing code with root rights), through the manipulation of SMTP commands when interacting with the server.
All versions of Exim that have been tracked in Git since 2004 are affected. For 4 local vulnerabilities and 3 remote issues, working prototypes of exploits have been prepared. Exploits for local vulnerabilities (CVE-2020-28007, CVE-2020-28008, CVE-2020-28015, CVE-2020-28012) allow you to elevate your privileges to the root user. Two remote issues (CVE-2020-28020, CVE-2020-28018) allow code to be executed without authentication with exim user rights (then you can gain root access by exploiting one of the local vulnerabilities).
Vulnerability CVE-2020-28021 allows you to immediately remotely execute code with root rights, but requires authenticated access (the user must establish an authenticated session, after which he can exploit the vulnerability by manipulating the AUTH parameter in the MAIL FROM command). The problem is caused by the fact that an attacker can achieve string substitution in the header of the spool file by writing the authenticated_sender value without proper escaping of special characters (for example, by passing the command "MAIL FROM:<> AUTH=Raven+0AReyes").
Additionally, it is noted that another remote vulnerability CVE-2020-28017 is exploitable for executing code with user rights "exim" without authentication, but requires more than 25 GB of memory. For the remaining 13 vulnerabilities, exploits can potentially also be prepared, but work in this direction has not yet been carried out.
The Exim developers were notified of the problems back in October last year and have spent over 6 months developing fixes. All administrators are advised to urgently update Exim on their mail servers to version 4.94.2. All versions of Exim prior to release 4.94.2 have been obsolete. The release of the new version was coordinated with distributions that published package updates at the same time: Ubuntu, Arch Linux, FreeBSD, Debian, SUSE, and Fedora. RHEL and CentOS are not affected by the problem, since Exim is not included in their regular package repository (there is no update in EPEL yet).
Remote vulnerabilities:
- CVE-2020-28017: Integer overflow in receive_add_recipient() function;
- CVE-2020-28020: Integer overflow in receive_msg() function;
- CVE-2020-28023: Reading from an area outside the allocated buffer in the smtp_setup_msg() function;
- CVE-2020-28021: Newline substitution in spool header;
- CVE-2020-28022: Writing to and reading from an area outside the allocated buffer in the extract_option() function;
- CVE-2020-28026: String truncation and substitution in spool_read_header() function;
- CVE-2020-28019: Crash resetting a function pointer after a BDAT error occurred;
- CVE-2020-28024: Buffer underflows in smtp_ungetc() function;
- CVE-2020-28018: Calling a buffer after it has been freed (use-after-free) in tls-openssl.c
- CVE-2020-28025: Reading from an area outside the allocated buffer in the pdkim_finish_bodyhash() function.
Local vulnerabilities:
- CVE-2020-28007: Attack via symbolic link in directory with Exim log;
- CVE-2020-28008: Spool directory attacks;
- CVE-2020-28014: Arbitrary file creation;
- CVE-2021-27216: Arbitrary file deletion;
- CVE-2020-28011: Buffer overflow in queue_run() function;
- CVE-2020-28010: Buffer overwrite in main() function;
- CVE-2020-28013: Buffer overflow in parse_fix_phrase() function;
- CVE-2020-28016: Writing out of bounds buffer in parse_fix_phrase() function;
- CVE-2020-28015: Newline substitution in spool header;
- CVE-2020-28012: Missing close-on-exec flag for privileged unnamed pipe;
- CVE-2020-28009: Integer overflow in get_stdinput() function.
Source: opennet.ru