Multiple Vulnerabilities (AKA 21Nails) in Exim

← Back to Security Advisories Overview
Critical
CVE(s)
Updated:
Product(s)
Sophos Firewall XG
Sophos UTM
Publication ID: sophos-sa-20210504-exim-21nails
Article Version: 1
First Published:
Workaround: Yes

Overview

On May 4, 2021, Qualys released a security advisory disclosing multiple CVEs for the Exim mailer software, a widely used open-source message transfer agent (MTA). These vulnerabilities can be triggered by local and remote attackers, and have been fixed in Exim version 4.94.2. If exploited, these vulnerabilities may lead to remote code execution (RCE).

Sophos Firewall customers not licensed for email protection, and those using legacy mode (transparent email proxy) for email, are not vulnerable.

SG UTM customers not using email protection are not vulnerable.

Applies to the following Sophos product(s) and version(s)

  • Sophos Firewall
  • Sophos SG UTM

Remediation

  • Sophos Firewall
    • A hotfix for SFOS v18.5 and 18.0 was distributed and applied on May 7, 2021
    • A hotfix for SFOS v17.5 MR4 and newer was distributed and applied on May 11, 2021
  • SG UTM
    • An update to SG UTM v9.705 was distributed on May 12, 2021 (v9.705-7)
    • An update to SG UTM v9.706 was distributed on May 13, 2021 (v9.706-9)
  • Sophos always recommends that customers upgrade to the latest available version of Sophos Firewall and SG UTM

Workaround

Sophos Firewall customers can switch to legacy mode under Email → General settings → SMTP deployment mode → Switch to legacy mode. Be aware that certain deployment scenarios are not compatible with legacy mode.

Other Mitigation Options

The network security team at SophosLabs have released the following IPS signatures to Sophos Firewall devices in response to Exim disclosures:

TYPE

NAME

CVE

XG SFOS IPS Signature

SID:2305451

CVE-2020-28021

XG SFOS IPS Signature

SID:2305452

CVE-2020-28026

XG SFOS IPS Signature

SID:2305453

CVE-2020-28026

XG SFOS IPS Signature

SID:2305454

CVE-2020-28025

XG SFOS IPS Signature

SID:2305459

CVE-2020-28019

XG SFOS IPS Signature

SID:2305460

CVE-2020-28019

Note that IPS does not filter traffic destined for the firewall itself.

Do I have the hotfix applied?

When the hotfix has been applied to Sophos Firewall, customers will see an alert in their dashboard with the text "Exim version upgraded to v4.94.2."

Related Information

https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server

Updates

  • IPS signature information added for Sophos Firewall
  • Hotfix notification information added
  • Hotfixes for SFOS v18.x have been released
  • Hotfixes for SFOS v17.5 have been released
  • Update for SG UTM v9.705 has been released
  • Update for SG UTM v9.706 has been released