RE: Exim4 MTA CVEs assigned from ZDI

["zdi () trendmicro com" <zdi () trendmicro com>]

Hi,

The ZDI reached out multiple times to the developers regarding multiple bug reports with little progress to show for 
it. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly 
disclose these bugs, at which time we were told, "you do what you do." If these bugs have been appropriately addressed, 
we will update our advisories with a link to the security advisory, code check-in, or other public documentation 
closing the issue.

Thanks,
The ZDI

-----Original Message-----
From: Solar Designer <solar () openwall com>
Sent: Friday, September 29, 2023 11:59 AM
To: oss-security () lists openwall com
Cc: ZDI Researcher Mailbox <zdi () trendmicro com>
Subject: Re: [oss-security] Exim4 MTA CVEs assigned from ZDI

Hi,

Thank you for posting this, Heiko!  Also thank you Markus for bringing this up in the other thread:

https://www.openwall.com/lists/oss-security/2023/09/29/3

I've attached plain text exports of the ZDI advisories to this message for archival.

Out of the Exim Bugzilla entries in Markus' message, only
https://bugs.exim.org/show_bug.cgi?id=3001 is currently open to the public, and it says:

> Bug 3001 - infoleak in SPA authenticator, client
>
> Comment 1 Jeremy Harris 2023-05-11 20:02:32 UTC
>
> ZDI-CAN-17433 (Trend Micro)
>
> A crafted SPA challenge from the server can cause the client
> authenticator to read OOB; the data is then returned to the server.
>
> Fix: validate the offset contained in the challenge, to avoid reading
> past the end of the challenge data structure.
>
> Vulnerable since at least 4.50, probably longer.
>
> Comment 2 Heiko Schlittermann 2023-09-29 16:01:58 UTC
>
> should be fixed in 04107e98d58efb69f7e2d7b81176e5374c7098a3

On Fri, Sep 29, 2023 at 06:06:11PM +0200, Heiko Schlittermann wrote:
> the ZDI assigned multiple CVEs to the Exim-MTA and published them
> recently:
>
> CVE            Link                                                      Exim-Bug
> --------------+---------------------------------------------------------+-----
> CVE-2023-42114
> https://www.zerodayinitiative.com/advisories/ZDI-23-1468/  3001 fixed
> CVE-2023-42115
> https://www.zerodayinitiative.com/advisories/ZDI-23-1469/  2999 fixed
> CVE-2023-42116
> https://www.zerodayinitiative.com/advisories/ZDI-23-1470/  3000 fixed
> CVE-2023-42117
> https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
> CVE-2023-42118
> https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
> CVE-2023-42119
> https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
>
> The ZDI contacted us in June 2022. We asked about details but didn't
> get answers we were able to work with.
>
> Next contact with ZDI was in May 2023. Right after this contact we
> created project bug tracker for 3 of the 6 issues. 2 high scored of
> them are fixed (OOB access). A minor scored (info leak) is fixed too.
>
> Fixes are available in a protected repository and are ready to be
> applied by the distribution maintainers.

Are distros allowed to make their updates public as soon as they can (presumably after requesting access to the 
protected repository)?

I suggest that you set a specific date/time e.g. in 2 days from now when both the Exim project will make the repo and 
the fixed bug entries (2999 and 3000) public _and_ distros will release updates.

> The remaining issues are debatable or miss information we need to fix
> them.
>
> We're more than happy to provide fixes for all issues as soon as we
> receive detailed information.

Are you actively requesting such information from ZDI now?

This looks like sloppy handling of these issues so far by both ZDI and Exim - neither team pinging the other for 10 
months, then Exim taking 4 months to fix even the 2 high-scored issues it did have sufficient info on.  What are you 
doing to improve the handling from this point on?

Thanks again,

Alexander
TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other 
intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this 
information, and we request that you notify us by reply mail or telephone and delete the original message from your 
mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read 
privacy policy<http://www.trendmicro.com/privacy>