A serious vulnerability in the Exim mail transfer agent could be used by a remote attacker to gain root privileges on servers that have TLS enabled.
The weakness is present in all versions of Exim through 4.92.1 and can be triggered quite easily, with just one packet. The maintainers of Exim have developed a fix for the vulnerability and released version 4.92.2 to address it. Exim is one of the more popular MTAs and is included in several Linux distributions. It’s designed to serve as the mail relay between machines and is installed on millions of servers.
The specific problem patched in the new release lies in the way that Exim servers handle incoming TLS connections, which are a vital part of many installations. By sending a specially crafted sequence during the TLS handshake at the beginning of a connection, an attacker could trigger the vulnerability and gain root privileges on the vulnerable server.
“The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC,” the Exim advisory says.
The vulnerability also can be exploited locally. The one mitigation that is available for this flaw until installing the new version is to disable TLS, but it’s not a recommended move as it would remove the confidentiality provided by TLS.
Although there has not been any report of a public exploit for this vulnerability, it’s the type of flaw that generally attracts the attention of attackers rather quickly. In June researchers at Qualys discovered a separate vulnerability in Exim that also was remotely exploitable.
“This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist,” the Qualys advisory says.
Within a few days of that vulnerability disclosure, a worm emerged to exploit the flaw and began hitting unpatched servers en masse. The worm exploited the vulnerability and then installed a cryptominer on the compromised machine.