CVE-2021-38371 – This vulnerability in Exim's STARTTLS implement... (How to Fix)

Q: What is the severity of CVE-2021-38371?

CVE-2021-38371 has a CVSS score of 7.5 (HIGH). This vulnerability in Exim's STARTTLS implementation allows attackers to inject malicious responses during SMTP communication by exploiting buffering issues. It affects Exim mail servers using STARTTLS for encrypted connections. Attackers can potentially manipulate email delivery or execute commands.

📋 TL;DR

This vulnerability in Exim's STARTTLS implementation allows attackers to inject malicious responses during SMTP communication by exploiting buffering issues. It affects Exim mail servers using STARTTLS for encrypted connections. Attackers can potentially manipulate email delivery or execute commands.

💻 Affected Systems

Products:

Exim

Versions: through 4.94.2

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using STARTTLS. Systems without STARTTLS enabled are not vulnerable.

📦 What is this software?

Exim by Exim

View all CVEs affecting Exim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, email interception, or mail server takeover.

🟠

Likely Case

Email manipulation, SMTP command injection, or denial of service affecting mail delivery.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only affecting mail processing.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to SMTP port and STARTTLS usage. Public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.94.3 and later

Vendor Advisory: https://www.exim.org/static/doc/security/CVE-2021-38371.txt

Restart Required: Yes

Instructions:

1. Download Exim 4.94.3 or later from exim.org. 2. Compile and install following official documentation. 3. Restart Exim service. 4. Verify version with 'exim -bV'.

🔧 Temporary Workarounds

Disable STARTTLS

linux

Temporarily disable STARTTLS feature to prevent exploitation

Edit Exim configuration and set 'tls_advertise_hosts =' to empty or comment out STARTTLS options

Network filtering

linux

Block or restrict access to SMTP port from untrusted networks

iptables -A INPUT -p tcp --dport 25 -s untrusted_network -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to limit SMTP access
Enable comprehensive logging and monitoring for SMTP anomalies

🔍 How to Verify

Check if Vulnerable:

Check Exim version with 'exim -bV'. If version is 4.94.2 or earlier and STARTTLS is enabled, system is vulnerable.

Check Version:

exim -bV | grep 'Exim version'

Verify Fix Applied:

Verify version is 4.94.3 or later with 'exim -bV' and confirm STARTTLS functionality works properly.

📡 Detection & Monitoring

Log Indicators:

Unusual SMTP command sequences
STARTTLS negotiation failures
Unexpected response injections in mail logs

Network Indicators:

Abnormal SMTP traffic patterns
STARTTLS manipulation attempts
Unexpected command sequences on port 25/587

SIEM Query:

source="exim.log" AND ("STARTTLS" OR "SMTP injection")

📊 Metadata

CVE ID: CVE-2021-38371

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-74

Published: August 10, 2021

Last Updated: November 3, 2025

🔗 References

https://nostarttls.secvuln.info Tool Signature
https://www.exim.org Product
https://www.exim.org/static/doc/security/CVE-2021-38371.txt Broken Link,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/10/msg00029.html
https://nostarttls.secvuln.info Tool Signature
https://www.exim.org Product
https://www.exim.org/static/doc/security/CVE-2021-38371.txt Broken Link,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38371, you might also want to check these: