EXIM exploits actively used

Another reason to go with Postfix instead. I’ve never understood why debian defaults with exim now.

Feel free to contribute to it …

But currently I have 0 time to work on it…


Not “a world-ending catastrophe”

While tagged with a 9.8/10 severity score by the ZDI team, Exim says the successful exploitation of CVE-2023-42115—the most severe of the six zero-days disclosed by ZDI last week—is dependent on the use of external authentication on the targeted servers.

Even though 3.5 million Exim servers are exposed online, according to Shodan, this requirement drastically reduces the number of Exim mail servers potentially vulnerable to attacks.

An analysis of the six zero-days by watchTowr Labs confirms Exim’s take on the severity of these zero-days as they “require a very specific environment to be accessible.”

watchTowr Labs also provided a list of all configuration requirements on vulnerable Exim servers needed for successful exploitation:

CVE CVSS Requirements
CVE-2023-42115 9.8 “External” authentication scheme configured and available
CVE-2023-42116 8.1 “SPA” module (used for NTLM auth) configured and available
CVE-2023-42117 8.1 Exim Proxy (different to a SOCKS or HTTP proxy) in use with untrusted proxy server
CVE-2023-42118 7.5 “SPF” condition used in an ACL
CVE-2023-42114 3.7 “SPA” module (used for NTLM auth) configured to auth the Exim server to an upstream server
CVE-2023-42119 3.1 An untrusted DNS resolver

“Most of us don’t need to worry. If you’re one of the unlucky ones who uses one of the listed features though, you’ll be keen to get more information before undertaking ZDI’s advice to ‘restrict interaction with the application’,” watchTowr researcher Aliz Hammond said.

We don’t use those features…


As a CISSP I have to stress you’re plain wrong, sir. Exim the way hestia uses it, is the SMTP server, for crying out loud. It’s wide open for CVE-2023-42115 !
You may want to read ZDI-23-1469 | Zero Day Initiative and be sure to patch it by updating.

For debian and ubuntu servers, if you’re having the security update stream active, you’re already patched.

As a SUUHAH (Simple User Using Hestia As Hobby) I have to stress you’re plain wrong, sir :stuck_out_tongue: Hestia doesn’t use driver external so I don’t know how it would be affected by this CVE-2023-42115.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.