oss-sec mailing list archives

Multiple Exim4 Zero Days

From: Markus Gschwendt <office+osssecurity () runout at>
Date: Fri, 29 Sep 2023 15:59:09 +0200

I bring this up as I have not yet seen any information here about
several CVEs related to Exim Mailserver which were published by ZDI on
2023-09-27 [1]:

* CVE-2023-42114 [CVSS 3.7]
* CVE-2023-42115 [CVSS 9.8]
* CVE-2023-42116 [CVSS 8.1]
* CVE-2023-42117 [CVSS 8.1]
* CVE-2023-42118 [CVSS 7.5]
* CVE-2023-42119 [CVSS 3.1]

There also seem to be issues in Exim's bug tracker related to those:
https://bugs.exim.org/show_bug.cgi?id=2999
https://bugs.exim.org/show_bug.cgi?id=3000
https://bugs.exim.org/show_bug.cgi?id=3001
https://bugs.exim.org/show_bug.cgi?id=3002
https://bugs.exim.org/show_bug.cgi?id=3003

According to ZDI the original reports were sent in June 2022.

I'm wondering if somebody knows anything about mitigations and/or why
there are still no fixes for these issues after more than a year.

Markus

[1] https://www.zerodayinitiative.com/advisories/published/
    search for exim

Current thread:

Multiple Exim4 Zero Days Markus Gschwendt (Sep 29)
- Re: Multiple Exim4 Zero Days Alex Gaynor (Sep 29)
- Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Sep 29)
  - Re: Exim4 MTA CVEs assigned from ZDI Solar Designer (Sep 29)
    - RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Sep 29)