The news of the remote code execution vulnerability that impacted the Exim Email Server over Thanksgiving is just now reaching the thousands of administrators who rely on this application to handle email for their enterprise. While it’s relatively simple to mitigate this issue for organisations running Exim in their environment, it needs to be done quickly. Tod Beardsley, Rapid7’s research director has provided comment on the issue. You can also find additional details within Rapid7’s blog post.
Tod Beardsley, Research Director at Rapid7:
“News of CVE-2017-16943, a remote code execution vulnerability in the exim email server, is just now reaching the thousands of exim administrators who rely on this application to handle email for their enterprise. On earlyThursday morning, November 23, researcher “meh” posted details, and a simple proof-of-concept, to the exim bug tracker.
Rapid7 strongly urges anyone who has not yet moved their email services to the cloud to double check their mail transfer agents. If you’re running exim (as opposed to Postfix, Exchange, or Sendmail), and you haven’t yet disabled chunked data transfers (which is a one-line, non-default configuration change), you’d do well to avoid a local email catastrophe by setting `chunking_advertise_hosts` to an empty value.
Without this configuration change, exim mail servers can be exploited to trigger a remote code execution vulnerability, which effectively gives total control of the server to a remote unauthenticated attacker. This is the best mitigation available today — a patch has been committed to the master source code, but it has not yet been shipped.
We do not have any indication that this issue is being actively exploited in the wild yet, but fully expect a functional exploit to surface soon.”