A critical Exim vulnerability in the widely-used Exim mail transfer agent (MTA) has recently been disclosed, potentially affecting over 1.5 million servers globally. Tracked as CVE-2024-39929, this flaw allows threat actors to bypass security filters designed to block malicious attachments and poses a significant risk to email security infrastructure.
The vulnerability arises from a flaw in the parsing of multiline RFC2231 header filenames in Exim versions up to and including 4.97.1. This oversight enables remote attackers to deliver executable attachments directly into end users’ mailboxes, circumventing protective mechanisms like the $mime_filename extension-blocking feature.
Decoding the Exim Vulnerability CVE-2024-39929
Exim developers promptly addressed this issue in the latest release, version 4.98, which includes a patch for CVE-2024-39929. The patch corrects the improper handling of RFC2231 headers, thereby closing the door on potential exploits that could compromise email servers.
Exim, known for its widespread use across Unix-like systems, serves as a critical component of many organizations’ email infrastructures. According to Censys, approximately 74% of publicly facing SMTP mail servers run Exim, highligheting the broad impact of this vulnerability to victims.
Censys, further explained this vulnerability, stating that the “vulnerability in Exim MTA due to a bug in RFC 2231 header parsing could potentially allow remote attackers to deliver malicious attachments to user inboxes”, reads the post.
The risk posed by CVE-2024-39929 lies in its potential to facilitate the delivery of executable files directly to users’ inboxes. If successfully exploited, this could lead to compromised systems and data breaches. While there are currently no known active exploits in the wild, proof-of-concept demonstrations exist, indicating the urgency of applying patches.
In response to the disclosure, security experts emphasize the importance of promptly updating Exim installations to version 4.98 or newer. This update not only mitigates CVE-2024-39929 but also incorporates previous fixes for other vulnerabilities, ensuring a more secure email environment.
Exim Servers Compromised
As of July 10, 2024, Censys reports that over 1.5 million Exim servers remain potentially vulnerable, with a notable concentration in regions such as the United States, Russia, and Canada. Only a fraction of these servers have applied the necessary updates, highlighting the ongoing risk posed by delayed patching efforts.
System administrators and IT professionals are urged to utilize Censys’ detection capabilities to identify exposed Exim instances running vulnerable versions. This proactive approach can facilitate timely patching and safeguard against potential exploitation.
While CVE-2024-39929 presents a serious security concern for Exim users worldwide, the availability of patches and proactive measures can effectively mitigate its impact. By promptly updating to Exim version 4.98 or newer, organizations can bolster their defenses against cyber threats and ensure the integrity of their email communications.
