Vulnerabilities could enable a malicious cyber actor to compromise vulnerable Exim servers.
Multiple high severity vulnerabilities have been discovered within the Exim mail server. The most severe of these vulnerabilities allows remote code execution which could enable a malicious cyber actor to take full control of the vulnerable system.
A full list of the vulnerabilities and additional information is available from the related Exim security advisory.
At this time, the Australian Cyber Security C has not identified any active exploitation of these vulnerabilities. The ACSC has assessed that there is a significant number of Exim mail servers deployed within Australia. Any future successful exploitation of vulnerable Exim servers would have a significant impact to Australian systems and networks.
The ACSC strongly recommends that Australian organisations:
- Review their systems and networks for the presence of vulnerable instances of the Exim mail server
- Apply the appropriate patch as identified by the Exim project in the Exim security advisory.
According to Exim the “current Exim versions (and likely older versions too) suffer from several exploitable vulnerabilities. These vulnerabilities were reported by Qualys via security@??? back in October 2020. Due to several internal reasons, it took more time than usual for the Exim development team to work on these reported issues in a timely manner.”
Qualys stated, an attacker who obtained the privileges of the “Exim” user, by exploiting CVE-2020-28020 or CVE-2020-28018, for example can exploit this local vulnerability to obtain full root privileges. Indeed, the following code opens a log file in append mode, as root (lines 465-469)”.