Exim's Mail Vulnerability: A Tale of Swift Action and Unaffected SiteGround Clients
Picture this: a lively party, a toddler’s bedtime routine, a road trip – this is what three of our security engineers were in the middle of on that particular Saturday, September 30th. Suddenly, their phones beep at the same time in unison, even though far apart, cutting through the noise of the party, the hush of the nursery, the hum of the highway, respectively. It’s a report of a critical security issue with Exim, the mail server used by 56% of all mail servers on the internet, including SiteGround’s. Despite their different settings, all three of our security engineers cut their plans immediately, summoned for a response – a testament to our unwavering commitment to security.
What’s Exim and Why Should We Care?
Exim is like the mailman of the digital world, responsible for delivering your emails from one point to another. An issue with Exim could potentially mean serious trouble for your emails, and not only. To give you an idea of the scale, Exim is the most popular mail server in the world, used by more than 342,000 mail servers. That’s over 56% of all mail servers on the internet. Naturally, it’s the mail server software we at SiteGround rely on entirely for the delivery of outgoing messages and incoming mail for all our customers.
Given that email services are a crucial part of our hosting offering, used by the majority of our clients, we’re consistently working on maintaining our email security, deliverability, and reliability. It all starts with a heavy customization process, which is our usual approach to all software we use to make sure it meets our client’s needs better, while it gives us more control to keep it extra secure and always up to date.
The Exim Issue and SiteGround’s proactive response
The problem, tagged as CVE-2023-42115, was in fact a combination of six different zero-day exploits against Exim. A zero-day exploit means all servers using this particular configuration are immediately at risk. We got the report as soon as it was issued and immediately dived into all six issues to assess the risk for our clients.
The good news was, since we heavily customize all software on our servers, these particular parts of Exim that were affected, are not even used on our servers. However, our work did not stop there. Here is a breakdown of all issues, why SiteGround clients were safe, and what we did to ensure this remains so.
Three of the reported Exim exploits related to different types of email authentication, namely SPA/NTLM and EXTERNAL auth. Simply put, they deal with proving the Mail Server who you are and then allowing you to send emails. The new vulnerability meant that an attacker could craft a special request, use the security holes in the authentication mechanisms and gain access to the server which runs Exim. Even more than that, the attacker could gain full access to the server – not only Exim as a mail server but all data residing on the server. On SiteGround servers, however, we don’t use any of these authentication methods, so SiteGround clients were not affected.
The fourth exploit was related to a proxy problem, and was very similar in nature, and the fifth issue resided in a library called “libspf2”, used for certain checks related to email SPF records. Since we don’t use proxies in front of our Exim mail servers at SiteGround, nor do we use the problematic library, we were not affected by this vector of the attack, either.
The last problem was related to how people perform DNS lookups. Many people just use third party DNS resolvers and they cannot be sure if the DNS resolvers validate the data they receive. SiteGround uses our own DNS resolvers and we validate the data we receive. So this did not affect us as well.
All in all, we were lucky for most of the vectors of the attack but it took us a substantial amount of time to double and triple-check every one of those bullet points. And, of course, we went beyond that.
Usually, there are two ways to go about a vulnerability: you assess if and how it affects you, and if it does not, you can simply waive it off and sit this one out. The smarter way to go about it, though, is to think ahead, and even if a particular vulnerability, or a number of those, do not directly affect you, to still be proactive about installing the patches just to be safe in case it develops and opens the doors to more exploits that could potentially turn out to affect you at a later stage.
So this is exactly what we did – despite not being directly at risk by any of the vectors of this particular attack, our security engineers didn’t just sit back. In addition to meticulously checking and testing all exploits to make sure they do not affect SiteGround servers, as soon as a new, safer version of Exim was released (version 4.96.1), we immediately upgraded all our Exim mail servers. It’s our way of ensuring your peace of mind, and a testament to our proactive approach to security.
Wrapping Up
We hope this post helps you understand our approach to security through the lens of a real-life and most recent serious issue with a software used by half of the servers on the internet. Rest assured, at SiteGround, we’re always ready to leap into action for any potential issues that could affect your data. We’re committed to keeping your data safe and your mind at ease. If you have any questions or concerns, we’re here for you. Thanks for sticking with us, and here’s to staying safe and secure with SiteGround.
Comments ( 8 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
crimpsy
Absolutely, SiteGround's unwavering commitment to security shines through in this post. It's reassuring to see your proactive approach in addressing the real-life challenges faced by half of the internet servers. Your dedication to safeguarding our data and ensuring peace of mind is truly commendable. Knowing that SiteGround is always prepared to tackle potential issues speaks volumes about your reliability and customer-centric focus. Thank you for prioritizing our security and for being a steadfast partner in our online journey. Here's to staying safe and secure, all thanks to SiteGround's vigilant efforts! 🌟🔒 #SafetyFirst #SiteGroundSecurity #CustomerSatisfaction.
Gabriela Andonova Siteground Team
Thanks for your comment and for recognising our commitment to security! Keeping our customers safe online is our number one priority. We appreciate your trust in SiteGround and are here to help you every step of the way.
Randy
I appreciate SiteGround's dedication to security. I would like to however request that the ability to block TLD's such as .icu, .fun, etc be added to the email spam software in the dashboard. The majority of SPAM email is coming from domains such as those and it would be a great feature to block and discard all email coming from a domain if one chooses to do so. I have been working with support on this issue and currently there is no solution. Thanks!
Gabriela Andonova Siteground Team
Thank you for your feedback and suggestion to enhance our spam filtering capabilities, Randy. We value your input and understanding of the importance of security. We'll definitely consider this as a potential feature addition to further improve our services.
Teemu
Any plans for adding two factor authentication to email accounts also? As I understand it's one of the first capabilities to be implemented for securing accounts/data.
Gabriela Andonova Siteground Team
Hey there, Teemu! Thanks for the suggestion. Two-factor authentication for email accounts is indeed on our roadmap. While we can't provide an exact ETA, stay tuned for updates on this security addition!
BHI
Thank you for being quick, thorough and proactive!
Gabriela Andonova Siteground Team
It's our pleasure! We're committed to providing the highest quality service to ensure the best experience for our customers. We appreciate your kind words!
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through