Critical flaw in Exim MTA could allow to deliver malware to users’ inboxes

A critical vulnerability in Exim mail server allows attackers to deliver malicious executable attachments to mailboxes.

Attackers can exploit a critical security flaw, tracked as CVE-2024-39929 (CVSS score of 9.1), in the Exim mail transfer agent to deliver malicious attachments to target users’ inboxes.

Exim is a widely used Mail Transfer Agent (MTA) designed to route, deliver, and receive email messages. Developed initially for Unix-like systems, Exim is known for its flexibility and configurability, allowing administrators to customize its behavior extensively through configuration files.

Exim versions up to 4.97.1 are affected by a vulnerability that misinterprets multiline RFC 2231 header filenames. This flaw allows remote attackers to bypass the $mime_filename extension-blocking protection, potentially delivering executable attachments to user mailboxes.

The vulnerability, tracked as CVE-2024-39929, has a CVSS score of 9.1 out of 10.0. It has been addressed in version 4.98.

“Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users,” read the advisory.

According to cyber security firm Censys, there are 6,540,044 public-facing SMTP mail servers and 4,830,719 (~74%) are running Exim.

Censys researchers state that a proof of concept (PoC) exploit for this issue exists, but there are no known active exploitations yet.

“As of July 10, 2024, Censys observes 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier), concentrated mostly in the United States, Russia, and Canada. So far, 82 public-facing servers show indications of running a patched release of 4.98.” reads the report published by Censys.

The firm released a set of queries that allow identifying Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)