Thanks to LowEndTalk member @active8 for alerting us to an Exim vulnerability that looks pretty awful:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.
Wow. Seems like if I was the Exim publisher, I’d jump on that immediately. Especially since Exim was grossly embarrassed by 21 separate vulnerabilities published in a batch a couple years back.
Sadly, the vendor did not:
06/06/22 – ZDI requested a PSIRT contact.
06/14/22 – ZDI reported the vulnerability to the vendor.
04/25/23 – ZDI asked for an update.
04/25/23 – The vendor asked us to re-send the reports.
05/10/23 – ZDI sent the vulnerability to the vendor.
09/25/23 – ZDI asked for an update and informed the vendor that we intend to publish the case as a zero-day advisory on 09/27/23.
A fix is available for this issue. It’s called Postfix.
UPDATE: Thanks to an anonymous reader for submitting this link which mentions six 0day exploits.
A little snarky, aren’t we today? Postfix as the ‘fix’ is like saying android is an iphone fix, or turning off wifi is an internet fix. I find info, dialogue and weighing options helpful.