Exim Security
Much consideration of Exim's security is given in “Chapter 52 - Security considerations” of The Exim Specification. This includes suggested hardening steps.
Vulnerability History
Note that a "remote code execution as Exim run-time user" vulnerability can be combined with a privilege escalation attack to become even more serious.
CVE-2011-1764 fixed in 4.76, introduced in 4.70: format string attack in DKIM processing. Impact: remote code execution as Exim run-time user. Bugzilla 1106.
- CVE-2011-1407 fixed in 4.76, introduced in 4.70: flaw in handling DKIM DNS records. Impact: remote code execution as Exim run-time user
- CVE-2011-0017 fixed in 4.73: return values of setuid()/setgid() not checked; only an issue on Linux. Impact: privilege escalation from Exim run-time user to root
- CVE-2010-4345 fixed in 4.73: Exim privilege escalation from Exim run-time user to root via configuration overrides
CVE-2010-2023 fixed in 4.72: Hardlink attack via sticky mbox directory. Impact: overwrite files of target user on same partition as mbox directory. Bugzilla 988.
CVE-2010-2024 fixed in 4.72: Symlink attack in /tmp for MBX locking algorithm. Bugzilla 989.
CVE-2010-4344 fixed in 4.70: buffer overflow in string_format(). Impact: remote code execution as Exim run-time user. Bugzilla 787.