Thousands of servers running the Exim mail transfer agent are vulnerable to potential attacks that exploit critical vulnerabilities, allowing remote execution of malicious code with little or no user interaction.
The vulnerabilities were reported on Wednesday by Zero Day Initiative, but they largely escaped notice until Friday when they surfaced in a security mail list. Four of the six bugs allow for remote code execution and carry severity ratings of 7.5 to 9.8 out of a possible 10. Exim said it has made patches for three of the vulnerabilities available in a private repository. The status of patches for the remaining three vulnerabilities—two of which allow for RCE—are unknown. Exim is an open source mail transfer agent that is used by as many as 253,000 servers on the Internet.
“Sloppy handling” on both sides
ZDI provided no indication that Exim has published patches for any of the vulnerabilities, and at the time this post went live on Ars, the Exim website made no mention of any of the vulnerabilities or patches. On the OSS-Sec mail list on Friday, an Exim project team member said that fixes for two of the most severe vulnerabilities and a third, less severe one are available in a “protected repository and are ready to be applied by the distribution maintainers.”