July 12, 2024 at 11:27AM
Censys warns of a critical vulnerability affecting over 1.5 million internet-accessible Exim mail transfer agent installations. Tracked as CVE-2024-39929, it enables attackers to deliver malicious executables to user mailboxes, potentially leading to code execution and system compromise. Despite a patched version being available, most servers remain unpatched, with a PoC code publicly released.
From the meeting notes, it is clear that there is a critical vulnerability in over 1.5 million internet-accessible Exim mail transfer agent (MTA) installations. This vulnerability, tracked as CVE-2024-39929 with a CVSS score of 9.1, impacts RFC 2231 header parsing and results in filenames being incorrectly parsed, potentially allowing remote attackers to bypass extension-blocking protection mechanisms. This could lead to the delivery of malicious executables to user mailboxes, which could result in code execution and system compromise if the attachment is opened. Although proof-of-concept (PoC) code targeting the bug has been released publicly, no exploitation attempts have been observed yet.
Furthermore, Censys has identified that of over 6.5 million SMTP mail servers accessible from the internet, roughly 4.8 million are running Exim. As of July 10, 2024, Censys observed 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier), mainly concentrated in the United States, Russia, and Canada. Although the vulnerability was addressed in Exim MTA version 4.98 last month, the majority of internet-facing servers remain unpatched. Only 82 Exim MTA installations were running a patched release as of July 10.
Censys has released resources to help organizations identify public-facing Exim instances running a potentially vulnerable release and is urging them to update to a patched iteration as soon as possible. It is important to note that vulnerabilities in Exim have been exploited by threat actors in the wild, underlining the urgency of addressing the issue.
Additionally, it is relevant to consider related vulnerabilities, including those that exposed millions of Cox modems to remote hacking, unpatched Exim vulnerabilities exposing many mail servers to attacks, and over 4,000 vulnerable Pulse Connect Secure hosts exposed to the internet. These related vulnerabilities highlight the broader significance of addressing and staying vigilant against such security threats.