Picture this: a party, a toddler’s bedtime routine, a road trip. This is what three of our security engineers were doing that Saturday, September 30th. When suddenly, their phones ring at the same time, albeit far from each other, cutting through the noise of the party, the silence of the routine, and the hum of the road, respectively. It’s a report of a critical security issue with Exim, the mail server used by 56% of all mail servers on the internet, including SiteGround. Our three security engineers immediately cut their plans to provide a response. A testament to our unwavering commitment to security.
Exim is like the mailman of the digital world, responsible for delivering your emails from one point to another. A problem with Exim could potentially mean serious problems for your emails, and not only that. To give you an idea of the scale, Exim is the most popular mail server in the world, used by over 342,000 mail servers. That’s over 56% of all mail servers on the internet. It’s the mail server software we rely on completely at SiteGround for the delivery of outbound messages and inbound mail for all of our customers.
Since email services are a crucial part of our hosting offering, used by the majority of france whatsapp number data our customers, we are constantly working to maintain the security, deliverability and reliability of our email. It all starts with a customization process, which is our usual approach for all software we use to ensure it best meets our customers’ needs, while giving us more control to keep it more secure and always up to date.
The Exim issue and SiteGround's proactive response
The issue, labeled CVE-2023-42115, was in fact a combination of six different zero-day exploits against Exim. A zero-day exploit means that all servers using this particular configuration are at immediate risk. We received the report as soon as it was issued and immediately dove into all six issues to assess the risk to our customers.
The good news was that since we heavily customized all the software on our servers, these particular parts of Exim that were affected aren't even used on our servers. However, our work didn't stop there. Here's a breakdown of all the issues, why SiteGround customers were safe, and what we've done to make sure it stays that way.
Three of the reported Exim exploits are related to different types of email authentication, namely SPA/NTLM and EXTERNAL authentication. Simply put, they deal with proving to the mail server who you are and then allowing you to send emails. The new vulnerability meant that an attacker could craft a special request, use the security holes in the authentication mechanisms, and gain access to the server running Exim. Even more than that, the attacker could gain full access to the server – not just Exim as a mail server, but all the data residing on the server. On SiteGround servers, however, we do not use any of these authentication methods, so SiteGround customers were not affected.
The fourth exploit was related to a proxy issue, and was very similar in nature, and the fifth issue resided in a library called “libspf2”, used for certain checks related to email SPF records. Since we do not use proxies in front of our Exim mail servers at SiteGround, nor do we use the problematic library, we were not affected by this attack vector either.
The last issue was related to the way people perform DNS lookups. Many people simply use third-party DNS resolvers and cannot be sure if the DNS resolvers validate the data they receive. SiteGround uses our own DNS resolvers and we validate the data we receive. So this did not affect us either.
Overall, we were lucky with most of the attack vectors, but it took us a considerable amount of time to double- and triple-check each of those points. And of course, we went above and beyond.
There are generally two ways to approach a vulnerability: you assess whether and how it affects you, and if it doesn’t, you can just overlook it and set it aside. The smarter way to go about it, however, is to think ahead, and even if a particular vulnerability, or several of them, don’t directly affect you, be proactive about installing patches just to be sure that in case it develops, it doesn’t open the doors to further exploits that could affect you at a later stage.
So this is exactly what we did. Despite not being directly at risk from any of the vectors of this particular attack, our security engineers did not sit idly by. In addition to meticulously checking and testing all exploits to ensure they do not affect SiteGround servers, as soon as a new, more secure version of Exim was released (version 4.96.1), we immediately updated all of our Exim mail servers. It’s our way of ensuring your peace of mind and a testament to our proactive approach to security.
Concluding
We hope this article helps you u
