A critical vulnerability has recently been discovered in the world’s most popular Mail Transfer Agent (MTA) known as Exim. The flaw, designated CVE-2024-39929, could allow threat actors to bypass a filename extension filter to deliver malicious executable files, which would otherwise be blocked, as attachments to targeted mailboxes.
According to various reports, Exim accounts for 59 - 74% of all MTAs reachable on the internet worldwide. A recent scan conducted by Censys revealed that over 1.5 million publicly exposed Exim MTAs could be potentially vulnerable to CVE-2024-39929, providing a huge attack surface for threat actors.
While proof of concept (PoC) exploit for CVE-2024-39929 is publicly available, so far there is no evidence that the vulnerability has been actively exploited in the wild. Exim’s developers released a patch that addresses CVE-2024-39929 on July 10 and are encouraging impacted users to upgrade as soon as possible.
Source: Bleeping Computer
Analysis
CVE-2024-39929 could have a significant impact on an organization's cybersecurity, given that it strips away an important security mechanism that proactively blocks potentially malicious executables from reaching the target's mailbox. With this mechanism gone, it is now entirely up to the human receiving the email whether they open the malicious attachment, ultimately compromising their machine if they do.
Organizations that have trained their employees how to recognize and report potentially malicious emails will obviously fare better than those that rely on security mechanisms alone when CVE-2024-39929 is eventually exploited on unpatched Exim instances.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Exim. Field Effect MDR users were automatically notified if a vulnerable version of Exim was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected Exim MTA versions update to the latest version as soon as possible, following the advisory. Additionally, Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign.
Related Articles
