oss-sec mailing list archives
Re: RCE in Exim reported
From: Phil Pennock <phil.pennock () spodhuis org>
Date: Fri, 24 Nov 2017 23:35:23 -0500
On 2017-11-24 at 22:59 -0500, Phil Pennock wrote:
A complete mitigation is to disable advertising the CHUNKING extension, in which case an attempt to use the BDAT verb should result in: 503 BDAT command used when CHUNKING not advertised
Note: some distributions only ship older versions of Exim, so emphasis on "introduced with Exim 4.88". If you have an older version, you're safe. If you telnet to your mail-server on port 25 and issue the EHLO command, and look at the list of SMTP extensions offered, then the CHUNKING extension needs to be listed for you to be vulnerable. Exim administratively blocks use of the BDAT verb in sessions where the CHUNKING extension was not advertized. Thus: chunking_advertise_hosts = is a _complete_ workaround. On older Exim, the BDAT verb (after MAIL and RCPT) should yield: 500 unrecognized command On safe Exim, it should yield: 503 BDAT command used when CHUNKING not advertised If you get a 2xx response to BDAT, and you're not using pipelined verbs and confusing the response to the MAIL verb with the response to the BDAT verb, then you haven't disabled CHUNKING. Regards, -Phil
Attachment:
signature.asc
Description: Digital signature
Current thread:
- RCE in Exim reported Phil Pennock (Nov 24)
- Re: RCE in Exim reported Phil Pennock (Nov 24)
- Re: RCE in Exim reported Phil Pennock (Nov 25)
- Re: RCE in Exim reported Leo Famulari (Nov 26)
- Re: RCE in Exim reported Heiko Schlittermann (Nov 26)
- Re: RCE in Exim reported Leo Famulari (Nov 26)
- CVE-2017-16943 CVE-2017-16944 (Was:RCE in Exim reported) Heiko Schlittermann (Nov 28)