The existence of a number of unpatched vulnerabilities impacting Exim mail switch agent (MTA) installations was disclosed final week, a couple of 12 months after they have been initially reported to builders.
Development Micro’s Zero Day Initiative (ZDI) realized about six Exim vulnerabilities final 12 months and reported the findings to the MTA software program’s builders in June 2022. Nonetheless, Exim builders have solely now began engaged on patches, with accusations being made by either side.
Exim, a chunk of software program used to obtain and relay emails, is current on tons of of hundreds of servers. Vulnerabilities affecting the software program will be extremely precious to risk actors, which have been identified to take advantage of Exim flaws of their assaults.
ZDI final week launched six particular person advisories describing the issues, reported to the corporate by an nameless researcher. Essentially the most critical of them, rated ‘essential’ and tracked as CVE-2023-42115, will be exploited by a distant, unauthenticated attacker to execute arbitrary code.
Three different flaws, categorized as ‘excessive severity’ and tracked as CVE-2023-42116, CVE-2023-42117 and CVE-2023-42118, may also be exploited for distant code execution with out authentication.
The remaining two points have a decrease severity ranking and their exploitation can result in data disclosure.
In accordance with ZDI’s timeline, the vulnerabilities have been reported to Exim builders in June 2022 and ZDI reached out for an replace in late April 2023, with the bug reviews being resent to Exim in Might.
ZDI made its advisories public on September 27 and a public dialogue concerning the issues was initiated late final week on the Openwall mailing listing.
Exim is engaged on patches and says they need to turn out to be obtainable shortly, although there nonetheless appears to be some confusion inside Exim on what precisely has been reported by way of ZDI. Builders declare the vulnerabilities can solely be exploited if sure options are used.
Exim builders have complained that ZDI failed to offer wanted clarifications between its preliminary report in June 2022 and Might 2023.
Some have argued that it has nonetheless taken Exim builders a very long time to begin addressing the issues, even when it solely realized about them in Might.
In response to the Exim group’s complaints, ZDI stated, “The ZDI reached out a number of occasions to the builders concerning a number of bug reviews with little progress to indicate for it. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which era we have been instructed, ‘you do what you do’.”