back to article 21 nails in Exim mail server: Vulnerabilities enable 'full remote unauthenticated code execution', millions of boxes at risk

Researchers at security biz Qualys discovered 21 vulnerabilities in Exim, a popular mail server, which can be chained to obtain "a full remote unauthenticated code execution and gain root privileges on the Exim Server." Exim is a mail transfer agent (MTA), responsible for receiving and forwarding email messages. It runs …

  1. Nate Amsden

    shocking

    Well maybe I shouldn't be shocked, but I am still. Not at the security issue but looking at that MX server survey I had no idea that Exim and Postfix combined had that high of a market share, and that Sendmail was at 40% ~15 years ago and is now at under 4%. I really expected nobody to have more than say 20-25% market share. Personally I have been using Postfix since about 2001 I think. It was suggested to me for a anti virus solution I was looking to deploy at the time and just haven't had a need to look at anything else.

    I went off to look at sendmail.org, and wow they are old school(except they seem to be operating under the "ProofPoint" brand not sure when that happened), just read the stuff under the "Contact us" section. Also it's the first reference to a FTP server I have seen on a website in a long time(I have nothing against ftp myself other than it is funky to work through firewalls).

    I still prefer text email myself and my personal email server does strip html off of incoming emails automatically which can sometimes make things difficult (and in very rare occasions impossible as in the entire message is empty) to read. But it certainly brings back memories of an earlier era(an era that was much more fun for me computing wise anyway).

    For work my org uses office 365 (and hosted exchange at rack space prior), MS introduced breaking changes in the OWA client which I use for most of my mail which makes text based email composing impossible. Reported it almost 2 years ago and last I checked it was still broken (the behavior being new line characters are broken making the entire email be one long line, in many cases totally unreadable. Message is fine in the "outbox" and only gets mangled once it gets beyond that level).

    1. bombastic bob Silver badge
      Devil

      Re: shocking

      Sendmail is the built-in for FreeBSD. I got used to its quirks and it's still supported for integration with other e-mail related things (like Cyrus IMAP), at least last time I integrated the two - which has been a while, yeah.

      Exim runs by default on Debian derivatives as well, last I checked. Since it listens locally by default, it's probably not a problem unless you open up the listening ports for LAN or (worse) Internet access.

      (verified, Devuan recent distro running exim4, listening port 25 only on 127.0.0.1 and ::1, default out of the box config for mail as I recall)

    2. ravioli

      Re: shocking

      "Sendmail was at 40% ~15 years ago and is now at under 4%"

      Because it's awfully unreliable for what the world wants to use email for now.

      cPanel and WHM use Exim, how fast did they patch this? Unbelievable. Just goes to show how we rely on all this software and it could be the weakest link in the chain.

      1. Anonymous Coward
        Anonymous Coward

        Re: shocking

        > [sendmail is] awfully unreliable for what the world wants to use email for now.

        Spam? Phishing? HTML?

        I have a meh-hate relationship with Sendmail. Learnt it well enough at university to teach the Sun3's and similar old kit how to be a null-client and send everything along to smarthost for handling. And just enough beyond that to be dangerous with the smarthost's .cf file -- not even the .mc routine back then.

        Since those days gone by I still run a few sendmail configs on the FreeBSD's I have, as noted upthread it's what they came with so I just kept doing it. They're pretty trouble-free, but admittedly not heavily loaded.

        I too am surprised at 4%, almost enough to make me doubt the accuracy. But when major Linuxes don't default to it, it follows that sendmail will drop off for postfix and exim.

        Suppose I should have a look at postfix configs on one of my MX servers and bone up, if only for the sake of my CV and future job prospects.

    3. Androgynous Cupboard Silver badge

      Re: shocking

      Sendmail represented everything that was wrong about service daemons. Permanently insecure, bizarrely complex to configure and with tentacles all throughout the OS. I know it dates from another era, more innocent times etc. but I still have servers to run. After the umpteenth security announcement I bit the bullet and switched to exim. Sounds like everyone else did too.

      Todays announcement is what it is, but it's the first big one(*) I recall for exim so no regrets. It was every few months for sendmail. Glad it's gone.

      1. Dan 55 Silver badge

        Re: shocking

        Sendmail represented everything that was wrong about service daemons. Permanently insecure, bizarrely complex to configure and with tentacles all throughout the OS.

        Thank goodness we've progressed beyond software design like that. But don't mention systemd.

      2. Jay 2

        Re: shocking

        It is said if you have a monkey with a typewriter, eventually they will write the works of Shakespeare. If you give them a few minutes they'll create a sendmail config file.

        1. Anonymous Coward
          Anonymous Coward

          Re: shocking

          Yup.

          I still have flashbacks from trying to do that manually before someone cooked up an approach to help configuring it, but my brain refuses to fully recall that memory, probably to protect the little bit that is left of my sanity.

      3. Brewster's Angle Grinder Silver badge

        Routing rules for R'lyeh

        I understand the Necronomicon was just a pri8nt out of Alhazred's sendmail.cf (Also proof we've been outsourcing IT support to the cheapest bidder for millennia.)

    4. Anonymous Coward
      Anonymous Coward

      Re: shocking

      Distribution preferences explain the prevalence of Exim and Postfix: most people go with the default.

      Currently still dealing with fallout of Hafnium on from that disaster waiting to happen that is Exchange, which requires its own web server to work. We've tried hardening it but have to keep ActiveSync, Outlook Anywhere and OWA active. We've got problems with Outlook for Mac dropping the tunnel because it doesn't have the Windows-specific proxy options to enforce basic authentication. I've just signed off on the bill for the extra support. And there is no redress for all this shoddiness from Microsoft.

      Give me a flawed open source mail server over this shit any time.

      1. Anonymous Coward
        Anonymous Coward

        Re: shocking

        If you deployed Exchange properly then your Internet facing MTA would be an Exchange Edge server that does not require a web server to work.

        1. Anonymous Coward
          Anonymous Coward

          Re: shocking

          The only correct way to deploy Exchange is to replace it with a proper mail server, i.e. not use it.

          1. Anonymous Coward
            Anonymous Coward

            Re: shocking

            Exchange is historically far more secure than legacy *nix MTAs. Way more powerful and flexible too.

    5. LordHighFixer
      Coat

      Re: shocking

      Holds up his bat boot on high and chants insane incarnations. Oh thee blasphemers, thine mta shalt not peer into thine packages, but only shove them by brute force if necessary, untu their destinations in a timely manner. Embrace the R$ and the L$ hold them high and let not thine mail queue.

      --I'll get my my robe of the ancient dark arts..

  2. Martin Gregorie Silver badge

    Sheer, blind luck...

    Phew, dodged all those nasty Sendmail bullets!

    And all because I run Postfix on all my computers including my Raspberry Pi.

    Years back, when I was running Fedora 1, if it wasn't still RedHat 7.2, I tried to customise Sendmail by working from the O'Reilly Sendmail book. That most be the worst book they ever published, because an entire section was missing. That meant I couldn't get my head round Sendmail and, being too tight to buy another massive book, I ripped out Sendmail, dropped in Postfix and have never looked back.

    So, when I bought my first RPi, naturally I slapped Postfix onto it, added the standard configuration I use on every machine except my house server. One reboot later and it 'just ran' and has continued to do so without any configuration changes despite successive upgrades from Wheezy to Buster.

  3. Gordon Shumway

    All of this has happened before

    and all of this will happen again.

    https://forums.theregister.com/forum/all/2019/09/06/exim_vulnerability_patch/#c_3864984

  4. Lunatic Looking For Asylum
    Flame

    I still use exim

    Been using it since 1993 ish.

    Just been and compiled and rolled out the new release. Ended up having to do a lot of reading and farting around.

    Exim has copious documentation but it is really difficult to digest. Most of the problems today weren't with the compile, it was trying to find what I needed to do to the configuration file so that it would used de-tainted data.

    What's de-tainted data ? I hear you all cry. In their wisdom the Exim developers decided that any data that could possibly come from the outside world was dangerous and couldn't be used directly in, for example the name of a file. Seems like a good plan but they didn't tell anybody they were doing this, they just rolled it out and mentioned it in the release notes (not even at the top of the release notes either). Consequently the mailing list was flooded with people screaming because their 'working for decades' configs suddenly stopped.

    It's generally been accepted thet the exim devs could have handled the release better.

    It's particularly galling that while the devs were busy looking at the tainted data splinter they missed the *()&ing planks that today's release is hopefully in mitigation of.

    It does make me wonder what else they have missed and has dented my (and I suspect a lot of other postmastes) confidence in the product.

    1. Claptrap314 Silver badge

      Re: I still use exim

      Upboated just for "It's generally been accepted thet the exim devs could have handled the release better."

      And you owe me a keyboard.

  5. LDS Silver badge

    Who do they believe they are?

    Exchange?

  6. martyn.hare
    Linux

    Thankfully most modern distros already have...

    Mitigations [exist] to prevent this from being as bad as some may think. Unlike the recent Microsoft Exchange security issues which were mostly unavoidable, Exim doesn’t need to run as root in the first place and where it does, it is commonly confined by sysadmins using mandatory access controls anyway. Still, you’d think someone would have audited this critical code long before now....

  7. Anonymous Coward
    Anonymous Coward

    This stuff is _why_ postfix was written

    Wietse Venema got a bee in his bonnet about the security shortfalls of Exim and encountered serious resistsance in getting it fixed

    Having spent 20 years in British academia, I can understand his frustration and there's a VERY strong sentiment of using Exim "BECAUSE IT'S BRITISH", with security arguments being dismissed usually under the "not invented here" category

    As for Sendmail. It's a swiss army knife written in days when mail needed to gateway in between many different network types - it works but the correct tool for any given job is preferably and simpler

    Anon for bloody obvious reasons

  8. Kurgan

    Total disaster

    I have around 15 mail server with exim... what a nice day is today.

  9. Anonymous Coward
    Anonymous Coward

    We run a weird hybrid, where our email is officially Office365 but instead of allowing all internal servers access to the internet we have an exim mailer for all outgoing email that sorts the Office stuff to the cloud and the rest where it's supposed to go. The bonus in this case is that it's not addressable from the internet, as there's no reason it should be. So that's one British University still running exim, albeit in a limited fashion. (We only turned off the incoming exim hosts last year!)

    That said, I just checked and the Debian hosts patched themselves either yesterday or today depending.

    (Anon because I don't represent my employer in this case)

  10. DaveKC

    Exim rules!

    - so do Philip Hazel et al.

    "THANK YOU" to all finding and/or fixing this. You keep Exim the best MTA.

    Bugs happen. Let's move on and fix our set-ups with gratitude for Exim and its updates.

    ("Anonymous Coward" assumed merely el Reg's tag on sensible posters)

    1. Lunatic Looking For Asylum
      FAIL

      Re: Exim rules!

      Philip Hazel retired years ago - Exim was at 3 something when he went and he's had nothing to do with it since.

      Exim 4 has been pretty solid but it is getting unwieldy, it's configuration is arcane and idiosyncratic and it's documentation obtuse (never mind the quality - look how many pages we've got).

      It's certainly suffered from feature creep.

      I don't think the devs have anything to to be proud of really.

      Even this emergency release, they mentioned a feature that turns off the taint checking but also said it's immediately deprecated and that feature isn't in the main release - you have to download a slightly different release '-fixes' which there isn't a tarball of on the main download server.

      Alternatively you can download the previous 4.93-fixes stable (release without the tainting checks) that they have generously applied the patches to but again the tar files are not on the main site.

      Yep, you have to pull a git release from the source repository to get those fixes - sigh :-(

      I'm definitely thinking of an alternative now - Exim's credibility is at 0 now and I have a load of work to do because of how they have handled it - a comment from the mailing earlier mentioned they had been sitting on these bugs for 7 months.

      They then go and release and publish and everybody is left running around like idiots hastily patching, rebuilding and fixing stuff. It will all end in tears.

      I know it's not polite to criticise volunteer efforts but sometimes being too polite creates more trouble. If people had been more critical, Exim may not be in the mess it now is.

      1. DaveKC

        Re: Exim rules!

        PH's book and courses were actually based on Exim 4 and he was doubtless still a benefit to that version before retiring.

        Email not Exim is unwieldy. Hindsight is 20-20 but KISS should have been applied to email ages ago. The bad thing about standards is there are too many to choose from. Do we now need a new one though? Anyway Email was already too loose IMHO when PH began Exim. With nothing else capable Cambridge implemented it out of necessity and to PH's surprise I believe.

        Despite this current big hassle Exim has been improved and gains strength from being free & open and having a structure more logical than its predecessor and a lot of other MTAs.

        Btw C/C++ might not be the most secure in which to write a drop-in replacement MTA these days. Platform differences aside - anyone coding one in Rust? Only a light-hearted question as I don't have the skill or time myself. Rust does however look like being hugely safer and a good choice for new stuff - especially re. much needed security. (`c2rust' for Exim's source? - just a silly thought..)

        Folks please don't sign your mail-flow over to be abused by evil empires - it will be locked-in and out of your reasonable control - plus bugs will be there too.

  11. Anonymous Coward
    Anonymous Coward

    That's why C/C++ should be ditched

    It may be fast, but it's got too much potential for memory bugs. That should be a class of errors we shouldn't be having to deal with these days.

    There are better alternatives out there.

    1. Paul Crawford Silver badge

      Re: That's why C/C++ should be ditched

      Yes, and who is doing the re-writing and bug-testing?

      That is the problem with many bits of software, they are not terribly well written but attempts to re-invent them often introduce far more problems than fixing the old ones.

      For some things you do have better, more secure, alternatives already in existence. But if you have a stable working system you are again facing the trade-off of fixing issues in a working arrangement and starting fresh with newer package(s), configuring them, testing that, fixing that, checking client compatibility, etc, etc.

    2. sitta_europea Silver badge

      Re: That's why C/C++ should be ditched

      [quote]It may be fast, but it's got too much potential for memory bugs. That should be a class of errors we shouldn't be having to deal with these days.[/quote]

      That would be like throwing out the baby with the bath-water.

      It's almost trivially easy to cobble up a few functions which wrap, extend or replace the library versions and make memory accesses unconditionally safe.

      What's needed isn't a new language, it's sensible developers who keep an eye on security -- and management which takes the issues seriously enough to understand them.

      Regrettably both seem to be in short supply.

      1. Paul Crawford Silver badge
        Facepalm

        Re: That's why C/C++ should be ditched

        Modern compilers and static analysis tools (lint and on-line stuff like Coverity Scan) will find most of the common bugs biting people.

        It is just a lot of folk don't use them, or they disable/ignore warnings when compiling because "it works anyway".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021