CVE-2021-38371 Overview
CVE-2021-38371 is a response injection vulnerability affecting the STARTTLS feature in the Exim mail transfer agent (MTA) through version 4.94.2. This flaw allows attackers to exploit improper buffering during SMTP STARTTLS negotiation, enabling injection of arbitrary responses during MTA SMTP sending operations. The vulnerability undermines the security guarantees expected from TLS-encrypted email communications.
Critical Impact
Attackers can inject malicious responses during the STARTTLS negotiation phase, potentially compromising the integrity of email communications and enabling man-in-the-middle style attacks on mail servers.
Affected Products
- Exim through version 4.94.2
- All Exim MTA deployments utilizing STARTTLS functionality
- Systems running vulnerable Exim versions with SMTP relay capabilities
Discovery Timeline
- 2021-08-10 - CVE-2021-38371 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2021-38371
Vulnerability Analysis
This vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly known as injection. The flaw exists in how Exim handles the transition from plaintext to encrypted communication during the STARTTLS protocol handshake.
When an Exim server initiates an outbound SMTP connection and requests TLS encryption via STARTTLS, the vulnerable implementation fails to properly clear or handle buffered data. This creates a window where a malicious intermediary or compromised server can inject arbitrary SMTP responses that will be processed after the TLS handshake completes, effectively poisoning the encrypted session with pre-injected commands.
The attack surface is network-based and requires no authentication or user interaction. A successful exploit could allow an attacker to manipulate email routing, inject false server responses, or subvert the security properties that TLS is meant to provide.
Root Cause
The root cause of CVE-2021-38371 lies in improper input buffer management during the STARTTLS protocol transition. When Exim sends the STARTTLS command and awaits a response, the implementation does not adequately sanitize or discard any data that may have been buffered before the TLS session begins. This buffering issue allows pre-TLS injected data to be interpreted as legitimate post-TLS server responses.
The vulnerability is part of a broader class of STARTTLS implementation weaknesses documented by security researchers studying opportunistic encryption in email protocols. The fundamental design flaw is treating the plaintext and encrypted portions of the connection as a continuous trusted stream rather than distinct security contexts.
Attack Vector
The attack vector for this vulnerability involves a network-positioned adversary who can intercept or modify SMTP traffic between an Exim MTA and a remote mail server. The attack proceeds as follows:
The attacker positions themselves between the Exim server and its intended destination, commonly through DNS spoofing, BGP hijacking, or local network compromise. When Exim initiates an outbound SMTP connection and sends the STARTTLS command, the attacker's system responds with a valid 220 Ready to start TLS response, followed by additional injected SMTP responses that are buffered by Exim.
Upon TLS negotiation completing, Exim processes the buffered responses as if they came through the encrypted channel. These injected responses could include fake acknowledgments, redirects, or other SMTP protocol elements that alter the behavior of the mail transfer. For detailed technical information, see the NoStartTLS Security Resource which documents this class of vulnerabilities across multiple email implementations.
Detection Methods for CVE-2021-38371
Indicators of Compromise
- Unexpected SMTP response sequences in mail server logs, particularly during STARTTLS negotiation
- Anomalous buffered data detected in SMTP connection handling
- Email routing inconsistencies or unexplained delivery failures
- TLS handshake timing anomalies that suggest injection attempts
Detection Strategies
- Monitor Exim mail logs for unusual STARTTLS response patterns or unexpected multi-line responses
- Implement network-level inspection for SMTP traffic anomalies during TLS upgrade sequences
- Deploy SentinelOne Singularity to detect exploitation attempts targeting mail infrastructure
- Configure alerting for Exim processes exhibiting abnormal network communication patterns
Monitoring Recommendations
- Enable verbose SMTP logging on Exim servers to capture full protocol exchanges
- Implement SMTP protocol validation at network perimeter to detect injection attempts
- Monitor for certificate validation failures or unexpected TLS negotiation behaviors
- Track Exim version deployments across the organization for vulnerability management
How to Mitigate CVE-2021-38371
Immediate Actions Required
- Upgrade Exim to the latest version that addresses the STARTTLS buffering vulnerability
- Review mail server configurations and disable opportunistic STARTTLS where strict TLS is preferred
- Implement DANE (DNS-based Authentication of Named Entities) to strengthen TLS validation
- Audit outbound SMTP connections for any signs of tampering or injection
Patch Information
Exim has released a security advisory addressing CVE-2021-38371. Organizations should consult the official Exim security advisory for specific patching guidance and version information. Debian-based systems should also review the Debian LTS Announcement for distribution-specific updates.
Administrators should verify their Exim version using exim -bV and compare against patched versions documented in the vendor advisory. The fix involves proper clearing of input buffers during the STARTTLS state transition.
Workarounds
- Configure Exim to require TLS for all connections using hosts_require_tls directives, eliminating STARTTLS negotiation
- Disable STARTTLS entirely and use implicit TLS on port 465 where supported
- Implement network segmentation to limit exposure of mail servers to potential attackers
- Use VPN or dedicated secure links between mail servers under your control
# Exim configuration to enforce mandatory TLS
# Add to exim.conf to mitigate STARTTLS vulnerabilities
tls_advertise_hosts = *
tls_require_ciphers = ${if def:tls_out_cipher {HIGH:!aNULL:!MD5:!RC4}}
hosts_require_tls = *
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
