EximSecurity

Exim Security

Much consideration of Exim's security is given in Chapter 56 - Security considerations of The Exim Specification. This includes suggested hardening steps.

Reporting

Please email reports of security issues to security@exim.org

Encryption keys for the Exim developers are available here.

Vulnerability History

Note that a "remote code execution as Exim run-time user" vulnerability can be combined with a privilege escalation attack to become even more serious.

• CVE-2024-39929 Misparsing RFC 2231 header filename fixed in 4.98

• CVE-2023-51766 SMTP smuggling in certain PIPELINING/CHUNKING configurations fixed in 4.97.1

• CVE-2023-42114 NTLM Challenge Out-Of-Bounds Read fixed in 4.96.2

• CVE-2023-42115 AUTH Out-Of-Bounds Write fixed in 4.96.2

• CVE-2023-42116 SMTP Challenge Stack-based Buffer Overflow fixed in 4.96.2

• CVE-2023-42117 Improper Neutralization of Special Elements fixed in 4.96.2

• CVE-2023-42118 libspf2 Integer Underflow fixed in 4.96.2

• CVE-2023-42119 dnsdb Out-Of-Bounds Read fixed in 4.96.2

• CVE-2021-38371 fixed in 4.95

• CVE-2020-28007...28026,CVE-2021-27216 fixed in 4.94.2

  these include: the "21Nails"

Local vulnerabilities

• CVE-2020-28007: Link attack in Exim's log directory
• CVE-2020-28008: Assorted attacks in Exim's spool directory
• CVE-2020-28014: Arbitrary file creation and clobbering
• CVE-2021-27216: Arbitrary file deletion
• CVE-2020-28011: Heap buffer overflow in queue_run()
• CVE-2020-28010: Heap out-of-bounds write in main()
• CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
• CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
• CVE-2020-28015: New-line injection into spool header file (local)
• CVE-2020-28012: Missing close-on-exec flag for privileged pipe
• CVE-2020-28009: Integer overflow in get_stdinput()

Remote vulnerabilities

• CVE-2020-28017: Integer overflow in receive_add_recipient()

• CVE-2020-28020: Integer overflow in receive_msg()

• CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()

• CVE-2020-28021: New-line injection into spool header file (remote)

• CVE-2020-28022: Heap out-of-bounds read and write in extract_option()

• CVE-2020-28026: Line truncation and injection in spool_read_header()

• CVE-2020-28019: Failure to reset function pointer after BDAT error

• CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

• CVE-2020-28018: Use-after-free in tls-openssl.c

• CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

• CVE-2019-16928 fixed in 4.92.3

• CVE-2019-15846 fixed in 4.92.2

• CVE-2019-13917 fixed in 4.92.1

• CVE-2019-10149 Current release (4.91 and up) are not vulnerable, fixes for older versions exist.)

• CVE-2018-6789

• CVE-2016-9963 fixed in 4.88 and in 4.87.1. If several conditions are met, Exim may leak the private DKIM key to the main log and if even more conditions are met, to the sender of the message. For details please read CVE-2016-9963. If you use a distro package of Exim, you may find it has been fixed even for older-numbered releases.

• CVE-2016-1531 fixed in 4.86.2. If Exim loads the Perl interpreter during startup, a privilege escalation was possible. For details please read CVE-2016-1531. If you use a distro package of Exim, it may be fixed even for older releases.

• CVE-2015-0235 is a glibc bug, affecting multiple applications on platforms which use glibc for their system C library; this was a problem with gethostbyname() functions. The security advisory referenced Exim as an exploit vector for remote access. The fix is to update glibc; workarounds include disabling configuration directives which enable the HELO checking which exposes the vulnerability. See https://lists.exim.org/lurker/message/20150127.200135.056f32f2.en.html for our advisory on this.

• CVE-2014-2972 fixed in 4.83: mathematical comparison functions were expanding args twice. Impact: local code execution if specific mathematical comparison functions were performing data lookups from user controlled data.

• CVE-2014-2957 fixed in 4.82.1, introduced in 4.82: used untrusted data when parsing the From header in Experimental DMARC code and allowed macro expansion. Details post

• CVE-2012-5671 fixed in 4.80.1, introduced in 4.70: buffer overflow vulnerability in DKIM DNS response processing. Impact: remote code execution as Exim run-time user. Details post

• CVE-2011-1764 fixed in 4.76, introduced in 4.70: format string attack in DKIM processing. Impact: remote code execution as Exim run-time user. Bugzilla 1106.

• CVE-2011-1407 fixed in 4.76, introduced in 4.70: flaw in handling DKIM DNS records. Impact: remote code execution as Exim run-time user

• CVE-2011-0017 fixed in 4.73: return values of setuid()/setgid() not checked; only an issue on Linux. Impact: privilege escalation from Exim run-time user to root

• CVE-2010-4345 fixed in 4.73: Exim privilege escalation from Exim run-time user to root via configuration overrides

• CVE-2010-2023 fixed in 4.72: Hardlink attack via sticky mbox directory. Impact: overwrite files of target user on same partition as mbox directory. Bugzilla 988.

• CVE-2010-2024 fixed in 4.72: Symlink attack in /tmp for MBX locking algorithm. Bugzilla 989.

• CVE-2010-4344 fixed in 4.70: buffer overflow in string_format(). Impact: remote code execution as Exim run-time user. Bugzilla 787.

See Also

• Security Release Process