This week the Censys Rapid Response team published an advisory on the recently disclosed Exim vulnerability tracked as CVE-2024-39929.
In Exim versions through 4.97.1, a bug in the parsing of multiline RFC 2231-encoded headers leads to incomplete parsing of attachment filenames. Remote actors could exploit this to bypass malicious file extension blocking measures and potentially send malicious attachments such as .exe executables undetected to users' email inboxes.
This bug is concerning due to how widespread Exim is on public-facing mail servers. Censys identifies around 1.5 million Exim servers online that are potentially vulnerable to this exploit.
However, exploiting this vulnerability alone is unlikely to fully compromise a server. Users need to actively click and execute attachments to trigger any embedded malicious code.
Check out the post for more information. The team has provided the following Censys queries to track affected devices:
- Censys Search Query for Potentially Vulnerable Exposures:
services.software: (product=”exim” and version: d* to 4.97.1])
- Censys ASM Query for Potentially Vulnerable Exposures:
host.services.software: (product=”exim” and version: m* to 4.97.1]) or web_entity.instances.software: (product=”exim” and version: * to 4.97.1])
- Censys ASM Risk Query for customers:
risks.name=”Vulnerable Exim Server CVE-2024-39929]”
If you have any questions about this vuln or have suggestions for detecting it with Censys, leave them here!