Exim Server bug(21Nails) exposes millions of mail servers

Exim server maintainers have issued updates to fix up to 21 security flaws in the software that could enable unauthenticated attackers to gain complete remote code execution and root privileges.


The bugs, collectively known as ’21Nails,’ include 11 vulnerabilities that require local access to the server and ten others that can be exploited remotely.


Qualys discovered the problems and notified Exim on October 20, 2020.


Any of the vulnerabilities can be chained together, according to Bharat Jogi, senior manager at Qualys, to gain full remote unauthenticated code execution and root privileges on the Exim Server.


The majority of the flaws found by the Qualys Research Team affect all versions of Exim server dating back to 2004.


Latest in Cybersecurity: Dell BIOS vulnerability puts millions of Dell devices at risk



Exim server is a widely used mail transfer agent (MTA) for Unix-like operating systems, with the programme running on more than 60% of publicly accessible mail servers on the Internet.


Nearly four million Exim servers are exposed online, according to Shodan quest.


Also read: N3TW0RM ransomware suspected of targeting Israeli firms


When successfully exploited, the vulnerabilities could be used to change email settings and even add new accounts to the compromised mail servers.


The following are among the 21 bugs:


Local vulnerabilities:

  • CVE-2020-28007: Link attack in Exim’s log directory
  • CVE-2020-28008: Assorted attacks in Exim’s spool directory
  • CVE-2020-28014: Arbitrary file creation and clobbering
  • CVE-2021-27216: Arbitrary file deletion
  • CVE-2020-28011: Heap buffer overflow in queue_run()
  • CVE-2020-28010: Heap out-of-bounds write in main()
  • CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
  • CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
  • CVE-2020-28015: New-line injection into spool header file (local)
  • CVE-2020-28012: Missing close-on-exec flag for privileged pipe
  • CVE-2020-28009: Integer overflow in get_stdinput()

Remote vulnerabilities:


  • CVE-2020-28017: Integer overflow in receive_add_recipient()
  • CVE-2020-28020: Integer overflow in receive_msg()
  • CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
  • CVE-2020-28021: New-line injection into spool header file (remote)
  • CVE-2020-28022: Heap out-of-bounds read and write in xtract_option()
  • CVE-2020-28026: Line truncation and injection in spool_read_header()
  • CVE-2020-28019: Failure to reset function pointer after BDAT error
  • CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
  • CVE-2020-28018: Use-after-free in tls-openssl.c
  • CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()


Email servers have become a lucrative target for espionage campaigns, so the patches should be applied as soon as possible.


Mail Transfer Agents, according to Jogi, are attractive targets for attackers because they are often accessible through the internet.


They could change sensitive email settings on the mail servers and enable adversaries to build new accounts on the target mail servers until they were exploited.