globe cyber map

21Nails vulnerabilities impact 60% of the internet's email servers

The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors.

Known as 21Nails, the vulnerabilities were discovered by security firm Qualys.

The bugs impact Exim, a type of email server known as a mail transfer agent (MTA) that helps email traffic travel across the internet and reach its intended destinations.

While there are different MTA clients available, an April 2021 survey shows that Exim has a market share of nearly 60% among all MTA solutions, being widely adopted around the internet.

The 21Nails vulnerabilities, if left unpatched, could allow threat actors to take over these systems and then intercept or tamper with email communications passing through the Exim server.

All Exim versions released since 2004 are impacted

As Qualys explains in its security advisory, the 21Nails vulnerabilities are as bad as it gets. All Exim server versions released in the past 17 years, since 2004, the beginning of the project's Git history, are affected by the 21Nails bugs.

This includes 11 vulnerabilities that require local access to the server to exploit, but also 10 bugs that can be exploited remotely across the internet.

CVE-2020-28007Link attack in Exim’s log directoryLocal
CVE-2020-28008Assorted attacks in Exim’s spool directoryLocal
CVE-2020-28014Arbitrary file creation and clobberingLocal
CVE-2021-27216Arbitrary file deletionLocal
CVE-2020-28011Heap buffer overflow in queue_run()Local
CVE-2020-28010Heap out-of-bounds write in main()Local
CVE-2020-28013Heap buffer overflow in parse_fix_phrase()Local
CVE-2020-28016Heap out-of-bounds write in parse_fix_phrase()Local
CVE-2020-28015New-line injection into spool header file (local)Local
CVE-2020-28012Missing close-on-exec flag for privileged pipeLocal
CVE-2020-28009Integer overflow in get_stdinput()Local
CVE-2020-28017Integer overflow in receive_add_recipient()Remote
CVE-2020-28020Integer overflow in receive_msg()Remote
CVE-2020-28023Out-of-bounds read in smtp_setup_msg()Remote
CVE-2020-28021New-line injection into spool header file (remote)Remote
CVE-2020-28022Heap out-of-bounds read and write in extract_option()Remote
CVE-2020-28026Line truncation and injection in spool_read_header()Remote
CVE-2020-28019Failure to reset function pointer after BDAT errorRemote
CVE-2020-28024Heap buffer underflow in smtp_ungetc()Remote
CVE-2020-28018Use-after-free in tls-openssl.cRemote
CVE-2020-28025Heap out-of-bounds read in pdkim_finish_bodyhash()Remote

Previous Exim bugs have been broadly abused in the past

Security experts recommend that Exim server owners update to Exim version 4.94 to protect their systems against attacks.

The utmost urgency in applying this patch is recommended.

Previous Exim bugs disclosed during 2019 and 2020 have been broadly abused by both cybercrime botnets and nation-state threat actors.

The most widely abused Exim bug was CVE-2019-10149, a bug known as "Return of the WIZard," which was also abused by Russia's infamous Sandworm group, according to a warning issued by the US National Security Agency last year.

Other Exim bugs that were disclosed and abused in past attacks include CVE-2019-15846 and CVE-2018-6789.

Qualys said it would not be publishing exploits for all the 21Nails Exim bugs; however, it also said that its "advisory contains sufficient information to develop reliable exploits" if an attacker would be interested.

At the time of writing, there are more than 3.8 million Exim servers available online, according to a Shodan search. A serious patching effort is now needed from server owners and cloud providers to mitigate these issues before they come under attack, which is expected to happen if we take Exim's recent history into account.

Furthermore, attacks are even more likely to occur if we consider that email servers are a rich target for all espionage-focused threat actors and that Microsoft Exchange email servers were also targeted for this same purpose earlier this year.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.