Full Report
Detect and mitigate CVE-2023-42115, and 5 more vulnerabilities in Exim. Organizations using affected configurations should mitigate and patch the vulnerabilities urgently.
Analysis Summary
# Vulnerability: Multiple Remote Code Execution and Information Disclosure Flaws in Exim MTA
## CVE Details
- CVE ID: CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42114, CVE-2023-42119
- CVSS Score: 9.8 (Critical for CVE-2023-42115), 8.1 (High for RCE), 3.7/3.1 (Low for ID)
- CWE: Improper Input Validation (Specific to CVE-2023-42115)
## Affected Systems
- Products: Exim Mail Transfer Agent (MTA)
- Versions: Not explicitly listed for all vulnerabilities, but fixes are present in versions **4.96.1 and 4.97** for patched CVEs. All versions are assumed affected where no fix is available.
- Configurations: Exploitation often requires specific configuration features to be enabled (e.g., "External" authentication, "SPA" module, Exim Proxy usage, or `spf` condition in ACL).
## Vulnerability Description
The primary critical vulnerability, **CVE-2023-42115**, is an Unauthenticated Remote Code Execution (RCE) flaw in the SMTP service. It stems from improper input validation leading to an **out-of-bounds write** condition when the **"External" authentication scheme** is enabled. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the service account. Other high-severity vulnerabilities (CVE-2023-42116, -42117, -42118) also allow RCE under specific configuration conditions, while others (CVE-2023-42114, -42119) allow limited information disclosure.
## Exploitation
- Status: **Not exploited in the wild** (as of article publication), but researchers have confirmed success in exploitation, suggesting imminent real-world activity.
- Complexity: Varies. CVE-2023-42115 is unauthenticated, implying lower complexity for initial access.
- Attack Vector: **Network** (via exposed SMTP ports: 25, 26, 587, 465).
## Impact
- Confidentiality: Varies (Low to High depending on CVE).
- Integrity: High (Potential for arbitrary code execution leading to system compromise).
- Availability: High (System compromise can lead to service disruption).
## Remediation
### Patches
- Patches are available for **CVE-2023-42114, -42115, and -42116** in Exim versions **4.96.1 and 4.97**. Users should upgrade to these versions or later (check vendor site for links).
### Workarounds
- **CVE-2023-42115:** Disable "External" authentication (`driver = external` in config) or restrict remote access to the server.
- **CVE-2023-42116:** Do not use the "SPA" (NTLM) authentication module.
- **CVE-2023-42117:** Do not use Exim behind an untrusted proxy-protocol proxy.
- **CVE-2023-42118:** Do not use the `spf` condition in your Access Control Lists (ACLs).
- **CVE-2023-42119:** Use a trustworthy DNS resolver capable of validating data according to DNS record types.
- **For unpatched vulnerabilities (e.g., CVE-2023-42117, -42118, -42119):** Apply the corresponding configuration workarounds until patches are released.
## Detection
- **Indicators of Compromise (IoCs):** Look for unexpected process execution originating from the Exim service user context, especially correlating with login attempts using "External" authentication.
- **Detection Methods and Tools:** Security teams should search configuration files for the presence of vulnerable features (e.g., `driver = external` or `spf` condition). If using cloud security platforms, search for publicly exposed Exim instances on common SMTP ports.
## References
- Exim maintainers’ statement: hxxps://www.exim.org/static/doc/security/CVE-2023-zdi.txt
- ZDI advisory: hxxps://www.zerodayinitiative.com/advisories/ZDI-23-1469/
- WatchTowr blogpost: hxxps://labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/