On October 2, 2023, Exim released security fixes for an out-of-bounds write remote code execution (RCE) vulnerability (CVE-2023-42115, CVSS: 9.8). This vulnerability affects the Simple Mail Transfer Protocol (SMTP) service and is caused by improper validation of user input. A threat actor can remotely exploit CVE-2023-42115 by writing data beyond the boundaries of a buffer, which leads to the execution of arbitrary code.
At this time Arctic Wolf has not observed a public Proof of Concept (PoC) or active exploitation of this vulnerability in the wild. Exim is a widely used mail transfer agent (MTA) in Unix based systems with over 3.5 million servers exposed to the internet globally. This widespread accessibility makes CVE-2023-42115 an appealing target for threat actors interested in crafting an exploit for this vulnerability, especially considering that multiple Exim vulnerabilities have been added in the past to CISA’s Known Exploited Vulnerabilities catalog.
On September 27, 2023, Zero Day Initiative (ZDI) publicly disclosed CVE-2023-42115, along with five other vulnerabilities in Exim. The fixes released by Exim also address two of these vulnerabilities which are also related to improper input validation, while efforts are ongoing to resolve the remaining three vulnerabilities.
Recommendation for CVE-2023-42115
Upgrade Exim to Version 4.96.1
Arctic Wolf strongly recommends upgrading to the latest version of Exim (4.96.1).
Instructions for upgrading can be found in Exim’s security advisory.
Please follow your organizations patching and testing guidelines to avoid operational impact.