(0Day) Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability cheers, t. Reproducible: Always
This appears to be a massive mess. See the discussion at https://seclists.org/oss-sec/2023/q3/257.
04107e98d58efb69f7e2d7b81176e5374c7098a3 is not publicly available (or at least so it seems). Gentoo will have to wait until code patches become publicly available (or 4.97 to be released?).
The exim developers currently only release the patches upon request from the distro maintainers.
(In reply to Fabian Groffen from comment #2) > 04107e98d58efb69f7e2d7b81176e5374c7098a3 is not publicly available (or at > least so it seems). Gentoo will have to wait until code patches become > publicly available (or 4.97 to be released?). I don't see anything in my emails for private disclosure either, so dunno. I've asked ajak to take a look in case I'm missing something. I'm really wondering if it's time to try get rid of exim tbh :(
(In reply to Thomas Stein from comment #3) > The exim developers currently only release the patches upon request from the > distro maintainers. Oh, okay. grobian, can you request them then?
Update from Dev: https://www.openwall.com/lists/oss-security/2023/10/01/4
(In reply to Sam James from comment #5) > (In reply to Thomas Stein from comment #3) > > The exim developers currently only release the patches upon request from the > > distro maintainers. > > Oh, okay. grobian, can you request them then? I did so once before and the verdict was that Exim doesn't support Gentoo, and also their embargo strategy (code fixes are only released after the supported distros have produced binaries with fixes) doesn't work well with us, because we obviously need code(-patches). > I'm really wondering if it's time to try get rid of exim tbh :( This is not the place to discuss this IMO, but yes, unless upstream changes its tune soon, Exim has little to no place in this world any more, unfortunately. This is for many more reasons than just their way of handling (security) bugs.
(In reply to Fabian Groffen from comment #7) > (In reply to Sam James from comment #5) > > (In reply to Thomas Stein from comment #3) > > > The exim developers currently only release the patches upon request from the > > > distro maintainers. > > > > Oh, okay. grobian, can you request them then? > > I did so once before and the verdict was that Exim doesn't support Gentoo, > and also their embargo strategy (code fixes are only released after the > supported distros have produced binaries with fixes) doesn't work well with > us, because we obviously need code(-patches). > Charming. Alright. (The intention - and it's how we get patches for other vulnerabilities - would be to prepare an ebuild and test it but not push it immediately. Other projects are fine with that.) Anyway, see: 1) https://www.openwall.com/lists/oss-security/2023/10/01/7 2) https://www.openwall.com/lists/oss-security/2023/10/02/3 although it doesn't seem to address every problem reported anyway. > > I'm really wondering if it's time to try get rid of exim tbh :( > > This is not the place to discuss this IMO, but yes, unless upstream changes > its tune soon, Exim has little to no place in this world any more, > unfortunately. This is for many more reasons than just their way of > handling (security) bugs. The reason I'm bringing it up here is precisely because of the security bug. But sure, I can bring up another bug. But it's not like it's tangential at all. We regularly have such discussions in the wake of security bugs.
Fixes are out: https://exim.org/static/doc/security/CVE-2023-zdi.txt.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8673898da41a5934c0b6124d53f36413e85a239 commit a8673898da41a5934c0b6124d53f36413e85a239 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2023-10-02 12:55:42 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2023-10-02 12:56:33 +0000 mail-mta/exim-4.96.1: version bump for security Bug: https://bugs.gentoo.org/914923 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-mta/exim/Manifest | 2 + mail-mta/exim/exim-4.96.1.ebuild | 655 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 657 insertions(+)
https://lists.exim.org/lurker/message/20231003.065235.a49af17d.en.html Gives me the impression the problems aren't really fixed, no response from Exim devs yet (but they didn't respond to the original email either).
Kind of a weird request, but is there a chance to get the fix backported to exim 4.94? Due to changes in how the config is evaluated, exim 4.96 basically just drops all my mails down the memory hole. I wrote my exim config 20 or so years ago and heck if I still understand it or know how to adapt it to work with whatever exim changed in 4.96.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c48d21f54a2936e6e443e8c12b048b5f167f55c3 commit c48d21f54a2936e6e443e8c12b048b5f167f55c3 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2023-10-15 20:10:51 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2023-10-15 20:10:51 +0000 mail-mta/exim-4.96.2: version bump for security fixes Bug: https://bugs.gentoo.org/914923 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-mta/exim/Manifest | 2 + mail-mta/exim/exim-4.96.2.ebuild | 655 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 657 insertions(+)
Definitely a bit of a mess here. There's 6 vulnerabilities in total, CVE-2023-4211{4..9}. All but one are for Exim, and those all fixed in 4.96.2. According to https://www.exim.org/static/doc/security/CVE-2023-zdi.txt: """ ZDI-23-1468 | ZDI-CAN-17433 | CVE-2023-42114 | Exim bug 3001 ------------------------------------------------------------ Subject: NTLM Challenge Out-Of-Bounds Read CVSS Score: 3.7 Mitigation: Do not use SPA (NTLM) authentication Subsystem: SPA auth Fixed: 04107e98d, >= 4.96.1, 4.97 ZDI-23-1469 | ZDI-CAN-17434 | CVE-2023-42115 | Exim bug 2999 ------------------------------------------------------------ Subject: AUTH Out-Of-Bounds Write CVSS Score: 9.8 Mitigation: Do not offer EXTERNAL authentication. Subsystem: EXTERNAL auth Fixed: 7bb5bc2c6, >= 4.96.1, 4.97 ZDI-23-1470 | ZDI-CAN-17515 | CVE-2023-42116 | Exim bug 3000 ------------------------------------------------------------ Subject: SMTP Challenge Stack-based Buffer Overflow CVSS Score: 8.1 Mitigation: Do not use SPA (NTLM) authentication Subsystem: SPA auth Fixed: e17b8b0f1, >= 4.96.1, 4.97 ZDI-23-1471 | ZDI-CAN-17554 | CVE-2023-42117 | Exim Bug 3031 ------------------------------------------------------------- Subject: Improper Neutralization of Special Elements CVSS Score: 8.1 Mitigation: Do not use Exim behind an untrusted proxy-protocol proxy Subsystem: proxy protocol (not socks!) Fix: a355463cf, >= 4.96.2, 4.97 ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032 ------------------------------------------------------------ Subject: libspf2 Integer Underflow CVSS Score: 7.5 Mitigation: Do not use the `spf` condition in your ACL Subsystem: spf Remark: This CVE should be filed against libspf2. See: https://github.com/shevek/libspf2/issues/45 ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42119 | Exim Bug 3033 ------------------------------------------------------------ Subject: dnsdb Out-Of-Bounds Read CVSS Score: 3.1 Mitigation: Use a trustworthy DNS resolver which is able to validate the data according to the DNS record types. Subsystem: dns lookups Fix: f6b1f8e7d, >= 4.96.2, 4.97 """
Let's stable 4.96.2?
Exim 4.96.2 is ready for stable, I'm ok to fast-track its stabling.
thanks!
commit c11d2a7a9507bd2392e0c8c83e6719debbf18ab1 Author: Fabian Groffen <grobian@gentoo.org> Date: Fri Jan 12 12:56:22 2024 +0100 mail-mta/exim: cleanup vulnerable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=885ac7b1a9d8098a326b2e38010dda5ab6534a71 commit 885ac7b1a9d8098a326b2e38010dda5ab6534a71 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-18 09:29:14 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-18 09:29:37 +0000 [ GLSA 202402-18 ] Exim: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/914923 Bug: https://bugs.gentoo.org/921520 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-18.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)
