Exim CHUNKING Exposure
Rapid7 Labs
2017-11-28
Introduction
@todb has a great write-up of the “Exim BDAT Use-After-Free (CVE-2017-16943)” vulnerability over on the Rapid7 Blog. Go there. Come back. We’ll wait.
We can quantify the exposure a bit.
Rapid7 has three separate scans for mail servers. These are on ports 25, 465 and 587.
Exim is just one of many mail servers types on the internet and our scans find over 2.3 million unique IPv4s hosting easily identifiable Exim servers.
This vulnerability requires a feature — CHUNKING — to be enabled, which we can also look for in the responses to our scans.
Here’s the breakdown of Exim servers — with CHUNKING enabled — found by each scan:
| scan | n |
|---|---|
| smtps | 147,647 |
| starttls | 139,060 |
| subm | 141,429 |
These scans are designed to catch SSL/TLS certificates for the discovered nodes but they slurp up the plaintext banners as well.
Of those 428,136 nodes, there are 178,125 unique IPv4s, so we’ll work with just the distinct hosts from now on.
Versions
These are the version summaries (trimmed to the #.## and “Other” for missing or unhelpful strings):
| version | n |
|---|---|
| 4.89 | 118,581 |
| 4.88 | 59,168 |
| Other | 364 |
| 4.90 | 5 |
| 4.69 | 3 |
| 4.72 | 2 |
| 3.36 | 1 |
| 4.63 | 1 |
Country view
They are everywhere, too. Here’s a breakdown by country (you can search/filter):
Organization view
Here’s a similar breakdown by MaxMind-identified “organization” (which is not ideal but the results are interesting):
Country and Org view
This adds in counts by country and identified org to make it easier to drill down: