A critical security issue has been disclosed in the Exim mail transfer agent that could enable threat actors to deliver malicious attachments to target users’ inboxes.
The vulnerability, tracked as CVE-2024-39929, has a CVSS score of 9.1 out of 10.0. It has been addressed in version 4.98.
“Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users,” according to a description shared on the U.S. National Vulnerability Database (NVD).
Exim is a free, mail transfer agent that’s used in hosts that are running Unix or Unix-like operating systems. It was first released in 1995 for use at the University of Cambridge.
Attack surface management firm Censys said 4,830,719 of the 6,540,044 public-facing SMTP mail servers are running Exim. As of July 12, 2024, 1,563,085 internet-accessible Exim servers are running a potentially vulnerable version (4.97.1 or earlier).
A majority of the vulnerable instances are located in the U.S., Russia, and Canada.
“The vulnerability could allow a remote attacker to bypass filename extension blocking protection measures and deliver executable attachments directly to end-users’ mailboxes,” it noted. “If a user were to download or run one of these malicious files, the system could be compromised.”
This also means that prospective targets must click on an attached executable for the attack to be successful. While there are no reports of active exploitation of the flaw, it’s essential that users move quickly to apply the patches to mitigate potential threats.
The development comes almost a year after the project maintainers a set of six vulnerabilities in Exim that could result in information disclosure and remote code execution.
