RCE in Exim reported

[Phil Pennock <oss-security-phil () spodhuis org>]

In Post-Thanksgiving mail-catchup, I see that the Exim Project was
gifted with a couple of surprises in our public bugtracker on Thursday
morning.  Complete with proof-of-concept small Python script.

I've requested CVEs, don't have them yet.

My mail to our announce list:
  https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html

Remote code execution in the first vulnerability, getting execution as
the Exim run-time user.

A complete mitigation is to disable advertising the CHUNKING extension,
in which case an attempt to use the BDAT verb should result in:

  503 BDAT command used when CHUNKING not advertised

The instructions I wrote in the mail to our announce-list, were:

} With immediate effect, please apply this workaround: if you are running
} Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
} section of your Exim configuration, set:
}
}   chunking_advertise_hosts =
}
} That's an empty value, nothing on the right of the equals. This
} disables advertising the ESMTP CHUNKING extension, making the BDAT verb
} unavailable and avoids letting an attacker apply the logic.

Chunking support was introduced with Exim 4.88; the current release is
4.89, 4.90 is in RC series now, it looks like a 2-line fix (written by
Jeremy Harris) is probably right for the first issue.

Public bugtracker links:

  https://bugs.exim.org/show_bug.cgi?id=2199
  https://bugs.exim.org/show_bug.cgi?id=2201

-Phil

Attachment: signature.asc
Description: Digital signature