Patch Confusion For Critical Exim Bug Puts Email Servers At Risk - Again
DARK Reading, Wednesday, October 4,2023
Defenders have been left scrambling after the way patches were released for six flaws in the open source mail server, which is the most popular mail transfer agent on the Internet.
A disorderly disclosure process last week led to the release of information on six vulnerabilities in the Exim mail transfer agent - with the disclosures coming five days before the maintainers released patches for the issues. This left organizations potentially open to attack, including to the most serious flaw, a critical remote code execution (RCE) vulnerability.
The most recent six vulnerabilities run the gamut from information disclosure issues rating a 3.1 on the Common Vulnerability Scoring System (CVSS) to the aforementioned RCE bug, which appears to be exploitable through a simple email message with no authentication, earning a 9.8 on the 10-point CVSS, according to the Zero Day Initiative's listing of published advisories.