A critical security flaw has been revealed in the Exim mail transfer agent, potentially enabling malicious actors to deliver harmful attachments directly to targeted users’ email accounts.
The vulnerability, identified as CVE-2024-39929, carries a CVSS score of 9.1 out of 10.0 and has been resolved in version 4.98.
According to information published on the U.S. National Vulnerability Database (NVD), “Exim up to version 4.97.1 improperly parses a multiline RFC 2231 header filename. This allows remote attackers to circumvent mechanisms that block extensions like $mime_filename, thereby potentially delivering executable attachments to end users’ mailboxes.”
Exim, a freely available mail transfer agent primarily used on Unix and Unix-like systems, was initially deployed in 1995 at the University of Cambridge.
Censys, a firm specializing in attack surface management, reports that out of 6,540,044 publicly accessible SMTP mail servers, 4,830,719 are operating Exim. As of July 12, 2024, approximately 1,563,085 of these Exim servers are running versions vulnerable to exploitation (specifically 4.97.1 or earlier).
Most of these vulnerable instances are concentrated in the United States, Russia, and Canada.
“The identified vulnerability permits remote attackers to bypass protection mechanisms that block certain filename extensions, potentially enabling them to deliver executable attachments directly to end users’ email accounts,” the report emphasized. “Should a user open or execute one of these malicious files, their system could be compromised.”
It’s important to note that successful exploitation of this vulnerability requires the recipient to interact with the attached executable. Although there have been no confirmed instances of active exploitation thus far, it is crucial for users to promptly apply available patches to mitigate any potential risks.
This development follows nearly a year after the Exim project addressed a series of six vulnerabilities that could lead to information disclosure and remote code execution.
