Most software has bugs, and some of these bugs can be exploited to allow an attacker to have unauthorized access to the software, its data, or the system that it runs on. Many of these vulnerabilities are simply the same few programming errors repeated in new contexts. However, the same mistakes keep getting made, and, in the right (or wrong) software, can have serious implications. The Exim vulnerability is one needing critical attention.
Recently, a buffer overflow vulnerability was discovered in Exim, the commonly used program that runs on both Linux and Mac machines. This vulnerability is significant for two reasons: the sheer number of machines running the software and the severity of the vulnerability, a 9.8 out of 10 on the CVSS (a common scale for rating vulnerabilities). As a result, this vulnerability is causing a fair amount of panic since similar vulnerabilities in this software have been actively exploited by hackers in the past.
What is Exim?
Exim is free software that runs on operating systems that are derived from Unix, including both Linux and MacOS. The purpose of Exim is to act as a message transfer agent (MTA). An MTA is designed to receive emails intended for members of a particular organization and forward it to the computers owned by the intended recipient.
Since Exim is free and available on Unix-based systems (which are commonly used as servers), it is the most commonly used MTA in the world. As a result, any vulnerability in Exim could have serious implications for a large number of organizations. A significant vulnerability, like the one recently discovered, can have serious implications for the Internet at large.
The Exim Flaw
The Exim software contains a vulnerability that has been fixed in the latest version of the code. However, the vulnerability is causing a great deal of concern since an estimated 5 million computers are running the protocol and may be vulnerable to the attack. A similar vulnerability discovered in June was the target of a worm that used the vulnerability to spread itself from server to server.
This Exim vulnerability deals with how the Exim software sets up a TLS connection (Transport Layer Security is the protocol that provides the security that makes HTTPS different from HTTP). Many protocols do not have built-in encryption and authentication, making them potentially vulnerable to hackers. TLS is designed to wrap around these vulnerable protocols, allowing them to be used in a secure fashion.
The setup phase of TLS contains a “handshake” where both parties authenticate to one another and decide on the parameters that they will use for an encrypted communications channel. During this handshake, the client sends a Server Name Identification (SNI) value that states the domain of the server that the client was hoping to reach (like google.com).
The Exim vulnerability was caused by a bug in how Exim software handles this SNI value. A specially crafted malicious SNI value could exploit a buffer overflow vulnerability in the software, allowing the attacker to write data in an area that they are not supposed to be able to access. By terminating a malicious SNI value with backslash NULL, an attacker can send arbitrary code to Exim, which the software would then execute.
Security Implications of the Exim Flaw
This Exim vulnerability is significant for several reasons. The first is that an unauthenticated attacker would be able to exploit the vulnerability. This means that all an attacker would need to do to exploit a server is discover that it is running a vulnerable version of the Exim software. Testing for servers running Exim can be accomplished using Shodan, a search engine designed to find devices running certain protocols. Once a server is identified, a hacker could test to see if it was vulnerable simply by sending a malicious SNI value to it and seeing if code was executed.
The second reason that this flaw is concerning is that it allows the attacker to run code on the target server with root privileges. On Linux, root is the name of the user with full privileges on the computer. If an attacker has root-level access, which this flaw provides, then they can do anything that they want on the server.
Impacts on Web Security
While this vulnerability exists only in Exim, a piece of email software, the impacts of the vulnerability are not limited to email. A remote code execution (RCE) vulnerability that enables root-level access on the compromised host gives the attacker complete control of the victim computer.
This control can be used for a variety of different purposes. The attacker can use this access to place phishing websites on the machine, which will take advantage of the trusted domain. Any sensitive information on the machine could be stolen and sent to the attacker. The machine could be infected with malware and/or used as a launching point for attacks against the owner’s internal network or other machines.
The number of potentially vulnerable machines and the impact of the Exim vulnerability demonstrate both the need to patch this potential vulnerability and to protect servers generally against attack. If a machine is running a vulnerable version of Exim, it should be updated or disabled to protect it. Organizations should also consider deploying a web security solution capable of identifying anomalous traffic that could be part of an attack, like the unusual SNI value used to exploit this vulnerability.
