oss-sec mailing list archives
RCE in Exim reported
From: Phil Pennock <oss-security-phil () spodhuis org>
Date: Fri, 24 Nov 2017 22:59:12 -0500
In Post-Thanksgiving mail-catchup, I see that the Exim Project was gifted with a couple of surprises in our public bugtracker on Thursday morning. Complete with proof-of-concept small Python script. I've requested CVEs, don't have them yet. My mail to our announce list: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html Remote code execution in the first vulnerability, getting execution as the Exim run-time user. A complete mitigation is to disable advertising the CHUNKING extension, in which case an attempt to use the BDAT verb should result in: 503 BDAT command used when CHUNKING not advertised The instructions I wrote in the mail to our announce-list, were: } With immediate effect, please apply this workaround: if you are running } Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main } section of your Exim configuration, set: } } chunking_advertise_hosts = } } That's an empty value, nothing on the right of the equals. This } disables advertising the ESMTP CHUNKING extension, making the BDAT verb } unavailable and avoids letting an attacker apply the logic. Chunking support was introduced with Exim 4.88; the current release is 4.89, 4.90 is in RC series now, it looks like a 2-line fix (written by Jeremy Harris) is probably right for the first issue. Public bugtracker links: https://bugs.exim.org/show_bug.cgi?id=2199 https://bugs.exim.org/show_bug.cgi?id=2201 -Phil
Attachment:
signature.asc
Description: Digital signature
Current thread:
- RCE in Exim reported Phil Pennock (Nov 24)
- Re: RCE in Exim reported Phil Pennock (Nov 24)
- Re: RCE in Exim reported Phil Pennock (Nov 25)
- Re: RCE in Exim reported Leo Famulari (Nov 26)
- Re: RCE in Exim reported Heiko Schlittermann (Nov 26)
- Re: RCE in Exim reported Leo Famulari (Nov 26)
- CVE-2017-16943 CVE-2017-16944 (Was:RCE in Exim reported) Heiko Schlittermann (Nov 28)