CVE-2020-12783
📋 TL;DR
CVE-2020-12783 is an out-of-bounds read vulnerability in Exim's SPA/NTLM authentication module that could allow authentication bypass. Attackers could potentially authenticate without valid credentials by exploiting this memory corruption issue. This affects Exim mail servers configured with SPA/NTLM authentication.
💻 Affected Systems
- Exim
📦 What is this software?
Exim by Exim
Fedora by Fedoraproject
Fedora by Fedoraproject
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to mail services, potentially leading to email interception, spam relay, or further system compromise.
Likely Case
Authentication bypass enabling unauthorized mail server access, though exploitation requires specific conditions and attacker knowledge of the vulnerability.
If Mitigated
Minimal impact if SPA/NTLM authentication is disabled or proper network segmentation isolates vulnerable systems.
🎯 Exploit Status
Exploitation requires sending specially crafted authentication requests to vulnerable Exim instances with SPA/NTLM enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.93.0.4 and later
Vendor Advisory: https://bugs.exim.org/show_bug.cgi?id=2571
Restart Required: Yes
Instructions:
1. Update Exim to version 4.93.0.4 or later. 2. Apply patches from Exim git repository. 3. Restart Exim service.
🔧 Temporary Workarounds
Disable SPA/NTLM Authentication
linuxDisable vulnerable authentication mechanism if not required
Edit Exim configuration to remove or comment SPA/NTLM auth options
Set 'auth_spa = false' in configuration
🧯 If You Can't Patch
- Disable SPA/NTLM authentication in Exim configuration
- Implement network-level controls to restrict access to Exim authentication endpoints
🔍 How to Verify
Check if Vulnerable:
Check Exim version with 'exim --version' and verify if SPA/NTLM auth is enabled in configurationCheck Version:
exim --version | head -1Verify Fix Applied:
Verify Exim version is 4.93.0.4 or later and test authentication functionality📡 Detection & Monitoring
Log Indicators:
- Failed SPA/NTLM authentication attempts with unusual patterns
- Successful authentications from unexpected sources
Network Indicators:
- Unusual authentication traffic to Exim ports (typically 25, 587, 465)
- SPA/NTLM protocol anomalies
SIEM Query:
source="exim" AND ("SPA" OR "NTLM") AND (authentication OR auth)🔗 References
- http://www.openwall.com/lists/oss-security/2021/05/04/7
- https://bugs.exim.org/show_bug.cgi?id=2571
- https://git.exim.org/exim.git/commit/57aa14b216432be381b6295c312065b2fd034f86
- https://git.exim.org/exim.git/commit/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0
- https://lists.debian.org/debian-lts-announce/2020/05/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6IQQ2SERFUD4WMRSX6XYDNK7Q4GPT7Y/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M7Z5UG6ZIG32V7M4PP3BCC65C27EWK7G/
- https://usn.ubuntu.com/4366-1/
- https://www.debian.org/security/2020/dsa-4687
- http://www.openwall.com/lists/oss-security/2021/05/04/7
- https://bugs.exim.org/show_bug.cgi?id=2571
- https://git.exim.org/exim.git/commit/57aa14b216432be381b6295c312065b2fd034f86
- https://git.exim.org/exim.git/commit/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0
- https://lists.debian.org/debian-lts-announce/2020/05/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6IQQ2SERFUD4WMRSX6XYDNK7Q4GPT7Y/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M7Z5UG6ZIG32V7M4PP3BCC65C27EWK7G/
- https://usn.ubuntu.com/4366-1/
- https://www.debian.org/security/2020/dsa-4687
