21Nails Vulnerabilities Impact 60% of the Internet's Email Servers

The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors. The Record reports: Known as 21Nails, the vulnerabilities were discovered by security firm Qualys. The bugs impact Exim, a type of email server known as a mail transfer agent (MTA) that helps email traffic travel across the internet and reach its intended destinations. While there are different MTA clients available, an April 2021 survey shows that Exim has a market share of nearly 60% among all MTA solutions, being widely adopted around the internet. The 21Nails vulnerabilities, if left unpatched, could allow threat actors to take over these systems and then intercept or tamper with email communications passing through the Exim server.

As Qualys explains in its security advisory, the 21Nails vulnerabilities are as bad as it gets. All Exim server versions released in the past 17 years, since 2004, the beginning of the project's Git history, are affected by the 21Nails bugs. This includes 11 vulnerabilities that require local access to the server to exploit, but also 10 bugs that can be exploited remotely across the internet. Security experts recommend that Exim server owners update to Exim version 4.94 to protect their systems against attacks.

Yikes

[Aighearach]

Hopefully this "21st nail" fad wears off, I mean, I don't care what color you paint your nails, but that 21st thing you painted, wasn't your pinkie.

Re: Yikes

[e3m4n]

If it was mistaken for one it says much about their stature.

Editors wanted: apply within!

[mrsam]

a type of email server known as a mail transfer agent (MTA)

This is somewhat analogous "a type of a car known to have four wheels".

Re: Editors wanted: apply within!

[Your Father]

I do enjoy the article saying we have 60 percent of email servers being Exim. That is the biggest joke statistic possible - maybe it makes sense if you count residential ISP MTAs. No chance it holds up for fortune 500s.

Re: Editors wanted: apply within!

[NateFromMich]

Cpanel uses exim, and that means a whole crapload of service are using it.

Re:

[Bert64]

It's likely that most of them aren't email servers, they simply have exim installed because it came by default or because it got pulled in as a dependency for something else (eg it's used to send outbound email notifications). Most of these people probably aren't even aware that exim is installed.

Re:

[www.sorehands.com]

90% of all statistics are made up.

Re:

[what2123]

No way, it's only 82%

Re: Editors wanted: apply within!

[e3m4n]

I know right?? I was thinking the exact same thing. Bbowlby Who on slashdot doesnt know the roles of an MTA and an MDA?

Re:

[jmccue]

You are both wrong, 97.5% are made up. Since that figure meets the standard deviation it is true.

Re:

[amorsen]

No, they are actually correct. The MTA only moves messages between servers. The Mail Delivery Agent (MDA) then drops the mail into the right folder/database. Dovecot is an MDA without being an MTA. Exim has a built-in MDA for simple setups, but it appears that it is the MTA part that has the bugs, not the MDA part.

Sadly Exim has decided to surpass Sendmail in every way, including number of critical vulnerabilities.

âoeSecurity expertsâ

[anomaly256]

> Security experts recommend that Exim server owners update to Exim version 4.94 to protect their systems against attacks. Those âoesecurity expertsâ should be recommending people remove exim from their networks entirely.

Re:

[bill_mcgonigle]

Yeah. Literally the first thing I do upon being handed a debian vm is 'apt remove exim' and puppet will install postfix later.

I can't believe Debian still has Exim by default after all these years of problems.

Re: âoeSecurity expertsâ

[e3m4n]

I guess it coulda been sendmail. No decades of vulnerability there ;-)

Re:

[UPi]

At least the Debian security people are on top of this. I just read this article and my pulse skipped a beat, but it turns out, my servers have already updated to exim4 4.92-8+deb10u6, which contains the fixes for security vulnerabilities reported by Qualys. The new build, released on 1st May, is based on a fix branch in the exim git repository, backporting the robustness improvements from the 4.94.3 release.

It is unclear when the CVE's mentioned in the article were disclosed to the Exim / Debian project

Re:

[kot-begemot-uk]

CVEs are still in reserved state and we cannot read detailed break-down for each of the bugs.

All of these have been found by static code analysis. At this point in time, static code analysers tend to find only very obscure bugs in major projects.

Without reading the CVEs and corresponding code it is not clear if these are exploitable at all.

Re:

[cc1984_]

Without reading the CVEs and corresponding code it is not clear if these are exploitable at all.

May want to watch the video here. The exploits are incredibly exploitable.

https://blog.qualys.com/vulner... [qualys.com]

Re:

[kot-begemot-uk]

The last two CVE-2020-28018 (and probablyCVE-2020-28025) do look like they apply to Debian. It builds with gnutls, not openssl.

Re:

[kot-begemot-uk]

Not enough coffee: not do look, but do not look.

Re:

[Lev_Arris]

It is unclear when the CVE's mentioned in the article were disclosed to the Exim / Debian projects.

November 2020. Qualys' blog post has the disclosure timeline at the bottom: https://blog.qualys.com/vulner... [qualys.com]

Postfix FTW

[niftydude]

Not gonna lie - right now I'm pretty happy that I made postfix my mail server of choice all those decades ago.

Re:

[green1]

I read that list, there's nothing in there that's particularly scary. Certainly nothing that would allow a remote attacker to take over your system

Re:

[iggymanz]

So none in last 7 years exploitable remotely, and that remote one was with people silly enough to use mysql database with it.

Try harder to discredit postfix, bitch, you're sucking at it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Market share figure sounds suspect

[dskoll]

Really, 60% of mail servers? Maybe if you count all the Debian (and maybe Ubuntu?) installations that have Exim installed by default. But even those, I believe, have it listen to 127.0.0.1 only by default.

Real security experts will say "Get rid of Exim and install Postfix."

Re:

[Tom]

Real security experts will say "Get rid of Exim and install Postfix."

I actually opened the comment section to see if someone will post just why Exim became the default. It's literally the first thing I remove on every server I set up.

Re:

[OolimPhon]

Actually whenever I do an install I get rid of exim and install nullmailer.

Exim not a common MTA

[rrjj]

There's no way exim has even a 6% market share much less 60, so take the article with a grain of salt. All of the largest ESPs and appliances run postfix as do most smaller shops so the issue will not be as significant as the article suggests.

Re:

[Guspaz]

http://www.securityspace.com/s... [securityspace.com]

That puts Exim at 59.19%.

https://mailtrap.io/blog/postf... [mailtrap.io]

That puts Exim as 56.88%

I can't find any data contradicting Exim being around a 60% marketshare.

Re:

[WhatAreYouDoingHere]

I found this interesting, on the first link you posted, of the servers running exim, 46% are running version 4.94, which the /. summary claims to be the latest version, not impacted by these vulnerabilities. So, roughly 60% run exim, but only 54% of those (32.4% overall) are actually impacted by these vulnerabilities. Their survey was just done last month, results posted May 1st.

Re:

[Guspaz]

Exim 4.94 was released on 2020-06-01 ( https://github.com/Exim/exim/r... [github.com] ). The current version is 4.94.2. I'd say the article is probably missing the .2 on the end, as some of these CVEs were disclosed quite recently and can't have been fixed in the original 4.94 release.

What happened to Qmail?

[Anonymous Coward]

I don't see it anywhere on the list. I thought it was one of the most secure options and had a long track record of success and a fairly strong following still...?

DJB being a contrairian

[raymorris]

As you may know, the author of qmail by default always starts with the assumption that he should do the opposite of what everyone else does, that everyone else must be wrong. That's pretty much what happened to qmail.

Everyone else would use an open source license to allow people to use their software. Therefore DJB refused to. He'd just say "it's public domain", which works in the US but means people in Europe can't legally use it.

Everyone else followed a standard for file locations so that you could do ba

Re:

[Tom]

He'd just say "it's public domain", which works in the US but means people in Europe can't legally use it.

How so?

Re:

[OrangeTide]

you can't prove that PD software is legal in the EU. the concept doesn't work there. I find it a bit of a leap to say that can't prove it's legal to be the same as illegal though.

Re:

[Tom]

That used to be true. Since the early 2000s, the laws in many european countries have been adapted, often to ensure that Free Software licenses work as expected.

While today there are some differences in opinion about the equivalence of PD, the general consensus is not that you can't have it, but that unlike in the US, you cannot as an author give up all rights, specifically that you will always remain the author. As such you can grant other people, including the public, whatever rights you want to grant, bu

Re:

[OrangeTide]

Let me be crystal clear. Free Software is not public domain.

Public domain, where you have giving up all of your rights or had no exclusive rights to begin with, is a thing and exists in the US. It's difficult to apply to software written in modern times though, but there are cases where it is possible.

Re:

[Tom]

Yes, I know.

I was saying: Free Software was the REASON that laws got changed, but the changes also clarified the status of public domain and copyleft.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[raymorris]

> What do you think things that are out of copyright are classified as? Declaring your own work "public domain" long before you're dead is obviously unusual

That's like saying that your tree is a horse. It doesn't make it so.
The concept of horse exists, that doesn't mean that saying "that tree is a horse" makes it a horse.

In fact, there is specific law that authors *cannot* give up all rights. That law is so they don't get strong-armed into doing so.

They can use CC0 to grant other people rights. They can'

Re:

[raymorris]

I should have specified:

"They can use CC0 to grant other people rights" - and DJB refuses to do so.

Several COUNTRIES and the Berne Convention say "you can't just make things public domain by claiming they are", so being DJB, he decided that must be wrong. Whatever everyone else says it does, he says and does the opposite. Lawyers say that if he wants to allow people to use it he needs to make a statement saying that (a license), so he refuses to do so. Because he's never, ever going to do anything that eve

Re:

[OrangeTide]

Sums it up nicely. I'd like to add that even if DJB is technically wrong, it's easy to be sympathic. The real world policy is pretty stupid. It argues that we have rights to our works, but not the right to abandon those rights. The disadvantage of DJB's position is fewer people are going to use his software, but it is his software he can deal with it however he chooses. If people don't like DJB's interpretation of public domain and copyrights, then people are free to create their own software a CC0 or BSD0

Re:

[raymorris]

I not the least bit sympathetic to someone whose basic operating principle in life is "I'm clearly smarter than the entire rest of the word combined, they are all absolute idiots, so whatever every expert says is needed, I shall do the opposite."

Also "because everyone else in the world is automatically wrong, when on any committee or in any group I shall automatically fight against any and all ideas which are mentioned by anyone but me". We wasted countless hours in situations with 14 people would agree on

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[raymorris]

You may have forgotten that qmail is open source.
Lots of people have contributed patches.

DJB wrote the first draft. That doesn't mean he gets decide I can't protect my copyright. Especially in a country.with a statute that explicitly says that wouldn't be lawful.

Re:

[raymorris]

By the Berne Convention copyright springs into being when the work is authored. It's unlawful to use it without a license.

That's it. If you don't have a license, it's unlawful. The only facts to "prove" are a) you used it and b) you don't have license.

With no license existing for qmail, using it is unlawful *as a matter of law*.

Re:

[OrangeTide]

and I can only come up with very contrived hypotheticals where you'd be prosecuted, who would even have standing in such a case? and would the damages be greater than zero?

Re:

[raymorris]

> who would even have standing in such a case?

Every contributor ever?

Dan wrote the first draft. Lots of people contributed patches.

Re:

[OrangeTide]

which works in the US but means people in Europe can't legally use

I'm curious who would prosecute you? I release stuff as PD. and I redistribute fonts without permission that is copyright in Germany but PD in the US. (obviously while I'm in the US and to others in the US)

Google doesn't like to us PD software. They have a lot of corporate policy that steers their engineers away from it. It's too complicated for the legal staff to deal with. In practice, I can't think of any time someone had to defend themselves for Qmail or SQLite or whatever. But of course it's easier to

Re:

[raymorris]

CC0 is written to do what you seem to be wanting to do.
If you just release it under Creative Commons Zero you'll get the effect you're looking for, with the legal Ts crossed.

Re:

[raymorris]

> Once you go the route of using a license it generally requires every piece of software

Where do you see that requirement in CC0?

https://creativecommons.org/sh... [creativecommons.org]

No license means you can't use it. Copyright is automatic.undet the Convention.

> CC0 is not the same as public domain

It's ~ the same as what Americans mean when they say "public domain". Those words have different meanings in different countries, and no meaning at all in some countries.

> Those that live in a jurisdiction ...

If you want on

Re:

[Junta]

He only declared it so in 2007. Before that it was a weird situation where it wasn't really clear how far you could push it, so generally people didn't bother to distribute it, and when it was redistributed, they generally avoided compiled binaries, so that they could include the patches and the original archive separate and the user would integrate them.

By 2007, the best ideas of qmail (particularly Maildir) had found their ways into other mail software, so it was less interesting by the time it was declar

Case for Rust?

[mugurel]

Although I've never programmed in Rust, I'm interested in its advantages in terms of code security. Looking at the list of vulnerabilities in TFA, it seems at least 12 out of 21 are due to overflow or out-of-bounds errors that would have been prevented if Exim had been written in Rust. Please correct me if I'm wrong.

Kubernetes + mail server image

[fabriciom]

I moved all my servers/services to kubernetes this year. There are several images for unix mail servers to chose from and don't need to create one on your own. https://github.com/docker-mail... [github.com] https://github.com/Mailu/Mailu [github.com]

Seriously, people still use Exim? 61 percent???

[Hizonner]

You might as well use sendmail. You'd get about the same configuration experience and the same proud tradition of horrible bugs.

Yech.