Attackers can exploit a critical security flaw, tracked as CVE-2024-39929 (CVSS score of 9.1), in the Exim mail transfer agent to deliver malicious attachments to target users’ inboxes.<\/p>\n\n\n\n
Exim is a widely used Mail Transfer Agent (MTA) designed to route, deliver, and receive email messages. Developed initially for Unix-like systems, Exim is known for its flexibility and configurability, allowing administrators to customize its behavior extensively through configuration files.
Exim versions up to 4.97.1 are affected by a vulnerability that misinterprets multiline RFC 2231 header filenames. This flaw allows remote attackers to bypass the $mime_filename extension-blocking protection, potentially delivering executable attachments to user mailboxes.
“Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users,” read the advisory<\/a>.<\/p>\n\n\n\n
According to cyber security firm Censys, there are 6,540,044 public-facing SMTP mail servers and 4,830,719 (~74%) are running Exim<\/a>.<\/p>\n\n\n\n
“As of July 10, 2024, Censys observes\u00a01,567,109<\/a>\u00a0publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier), concentrated mostly in the United States, Russia, and Canada. So far,\u00a082<\/a>\u00a0public-facing servers show indications of running a patched release of 4.98.” reads the report<\/a> published by Censys.<\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, malware)<\/strong>