CVE-2010-4345

What is Exim?

Exim is a widely deployed open-source Mail Transfer Agent (MTA) for Linux and Unix systems, developed at the University of Cambridge. It serves as the default MTA in Debian-based distributions and handles email routing and delivery for millions of internet-facing mail servers. Exim runs with elevated permissions to perform local mail delivery — writing to user mailboxes, executing delivery scripts — which creates a privilege-sensitive execution context. When Exim configuration includes setuid execution or sudo-equivalent permissions for the Exim binary, vulnerabilities that allow an attacker with Exim-user privileges to influence the Exim startup configuration can provide a path to root.

Overview

CVE-2010-4345 is a high-severity privilege escalation vulnerability (CVSS 7.8) in Exim. The exim user account, which the Exim MTA process typically runs as, can specify an alternate Exim configuration file using the -C command-line flag when invoking the Exim binary. If this alternate configuration file contains directives that execute system commands (such as filter rules or pipe transports), those commands execute with the privileges of the invoking Exim process — which may include root-level setuid privileges. This allows a local user with exim-user access to escalate to root. CVE-2010-4345 was designed to be the second step of the ExiMplode attack chain following CVE-2010-4344. CISA added both CVEs simultaneously in March 2022.

Affected Versions

Technical Details

The privilege escalation exists in how the Exim binary handles the -C (alternate configuration file) command-line option. Exim supports running with an alternate configuration file for testing and debugging purposes — a configuration file is a complex text file containing transport definitions, filter rules, and access control lists.

The Exim binary in many deployments has setuid-root permissions or is invoked through sudo, allowing the Exim process to perform privileged operations like writing local mail to protected directories. When the Exim binary is invoked with -C /path/to/attacker-controlled.conf, Exim reads and applies the attacker's configuration file. An attacker-controlled configuration can define:

• Pipe transports that execute arbitrary shell commands
• System filter rules that run arbitrary scripts
• Delivery handlers that spawn attacker-controlled processes

Since the Exim binary may be running with elevated privileges, the commands specified in the attacker-controlled configuration file execute with those elevated privileges — providing root code execution from an account that only has Exim-user access.

In the ExiMplode two-CVE attack chain:

1. An unauthenticated remote attacker exploits CVE-2010-4344 to gain code execution as the Exim user via SMTP
2. The attacker then uses CVE-2010-4345 to escalate from the Exim user to root by creating a malicious Exim configuration and invoking Exim with -C

Discovery

Discovered and reported by The Exploit Development Group (ExiMplode) as the second component of their December 2010 Exim attack chain disclosure. The two-CVE approach was deliberate — CVE-2010-4344 achieved remote code execution as the Exim process user (which might not be root in all deployments), and CVE-2010-4345 provided the guaranteed escalation to root regardless of how Exim's process user was configured. Exim 4.70 fixed both vulnerabilities simultaneously.

Exploitation Context

The combination of CVE-2010-4344 and CVE-2010-4345 formed a particularly complete attack chain:

• Complete compromise from network: An attacker with internet access could chain the two vulnerabilities to go from unauthenticated remote access to full root shell in a single attack sequence — no prior credentials or system access required.
• Defense evasion: Because Exim is a legitimate system service, an attacker executing commands through Exim's configuration mechanisms could blend activity with normal mail processing behavior, complicating forensic detection.
• Web hosting server impact: Web hosting servers typically run Exim for customer email delivery. Compromise of such a server via this chain provided root access across an environment potentially hosting thousands of customer websites and databases.
• Post-compromise utility: Even after CVE-2010-4344 was patched, CVE-2010-4345 remained useful as a local privilege escalation tool on systems where an attacker had obtained any Exim-user shell access through other means.
• Long-tail exploitation: Shared hosting servers and network appliances running Exim 4.69 and earlier persisted well into the 2010s, making this attack chain available to attackers for years after the patch.

Remediation

1. Upgrade to Exim 4.70 or later: The fix restricts the -C flag behavior to prevent privilege escalation via alternate configuration files.
2. Restrict Exim binary permissions: Remove setuid-root permission from the Exim binary if not required for the deployment. Use sudo with a restrictive sudoers configuration that limits which Exim options can be invoked with elevated privileges.
3. Combine remediation with CVE-2010-4344: Both vulnerabilities should be addressed together. Patching only one leaves a partial attack chain: CVE-2010-4344 alone provides Exim-user RCE; CVE-2010-4345 alone provides local-to-root escalation for any Exim-user access.
4. Upgrade Exim to current release: Exim 4.70 is itself an old release. Upgrade to a current Exim version (4.97+) to address all known vulnerabilities since 2010.
5. File integrity monitoring: Monitor the Exim configuration directory for unauthorized file creation or modification, which may indicate staging of a malicious alternate configuration file.