LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Exim Didn't Fix a Vulnerability for a Year and Now It's Public

Exim VulnerabilityThanks to LowEndTalk member @active8 for alerting us to an Exim vulnerability that looks pretty awful:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.

Wow.  Seems like if I was the Exim publisher, I’d jump on that immediately.  Especially since Exim was grossly embarrassed by 21 separate vulnerabilities published in a batch a couple years back.

Sadly, the vendor did not:

06/06/22 – ZDI requested a PSIRT contact.

06/14/22 – ZDI reported the vulnerability to the vendor.

04/25/23 – ZDI asked for an update.

04/25/23 – The vendor asked us to re-send the reports.

05/10/23 – ZDI sent the vulnerability to the vendor.

09/25/23 – ZDI asked for an update and informed the vendor that we intend to publish the case as a zero-day advisory on 09/27/23.

A fix is available for this issue.  It’s called Postfix.

UPDATE: Thanks to an anonymous reader for submitting this link which mentions six 0day exploits.



1 Comment

  1. Jon:

    A little snarky, aren’t we today? Postfix as the ‘fix’ is like saying android is an iphone fix, or turning off wifi is an internet fix. I find info, dialogue and weighing options helpful.

    October 2, 2023 @ 12:17 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *