Exim: Bypassing the attachment filter enables malicious code attachments

There is a serious security gap in the Exim mail system. The attachment filter can be bypassed, allowing attackers to smuggle potentially harmful file attachments into mailboxes.

When processing multiline header filenames according to RFC 2231, Exim up to and including 4.97.1 may fail, allowing attackers to bypass a $mime_filename extension-blocking protection mechanism. As a result, they could potentially deliver executable attachments to users' mailboxes, according to the description of the CVE entry (CVE-2024-39929).

Risk assessment varies

Red Hat rates the severity of the vulnerability as high and adds that user interaction is still required to execute such attachments. The Exim developers have classified it as a serious security vulnerability. The CERT-Bund of the BSI has given it a CVSS value of 9.1 and thus categorizes the vulnerability as critical.

A bug fix has been included in Release Candidate 3 of Exim 4.98. Anyone using Exim should update the mailer to this or a newer version if necessary.

Read also

Kritische Lücke im Mailserver Exim

Last September, the Exim mail server had a security vulnerability classified as critical, which allowed attackers to inject and execute malicious code (2023-42115, CVSS 9.8, critical). They also provided updated software that closed the gap.

Email security should of course also include employee training. Despite server-side filters, malicious file attachments can end up with end users. They should therefore know how to handle them safely. But server-side measures also help, of course, for example by preventing emails from unauthorized mail servers (or botnet drones) from being accepted by mail servers in the first place. The BSI provides information on email authentication using SPF, DKIM and DMARC, for example, in a technical guideline.

(dmk)