Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 638772 (CVE-2017-16943, CVE-2017-16944) - <mail-mta/exim-4.89-r5: Multiple vulnerabilities including possible RCE
Summary: <mail-mta/exim-4.89-r5: Multiple vulnerabilities including possible RCE
Status: RESOLVED FIXED
Alias: CVE-2017-16943, CVE-2017-16944
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major
Assignee: Gentoo Security
URL: https://lists.exim.org/lurker/message...
Whiteboard: A1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-25 09:17 UTC by Fabian Groffen
Modified: 2018-03-06 19:39 UTC (History)
3 users (show)

See Also:
Package list:
=mail-mta/exim-4.89-r5
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Groffen gentoo-dev 2017-11-25 09:17:50 UTC
See https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html and the bugs that lead to it (most probably) https://bugs.exim.org/show_bug.cgi?id=2201 and https://bugs.exim.org/show_bug.cgi?id=2199                                      

CVEs requested, unless I'm reading it wrong, seems like this can cause a DoS, and possibly remote code execution.  Don't take my word for it, please.

The mentioned configuration change obviously can only be performed by our users.  

I am considering the possibility to hardcode the chunking_advertise_hosts setting to be empty somehow, and apply that in a revision to be stabled ASAP if @security agrees.  If there's another way (news item perhaps?), I'm all ears.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-11-25 13:33:25 UTC
Thanks, Phil also mentioned this on oss-sec

http://www.openwall.com/lists/oss-security/2017/11/25/2:
Date: Fri, 24 Nov 2017 22:59:12 -0500
From: Phil Pennock <oss-security-phil@...dhuis.org>
To: oss-security@...ts.openwall.com
Subject: RCE in Exim reported

In Post-Thanksgiving mail-catchup, I see that the Exim Project was
gifted with a couple of surprises in our public bugtracker on Thursday
morning.  Complete with proof-of-concept small Python script.

I've requested CVEs, don't have them yet.

My mail to our announce list:
  https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html

Remote code execution in the first vulnerability, getting execution as
the Exim run-time user.

A complete mitigation is to disable advertising the CHUNKING extension,
in which case an attempt to use the BDAT verb should result in:

  503 BDAT command used when CHUNKING not advertised

The instructions I wrote in the mail to our announce-list, were:

} With immediate effect, please apply this workaround: if you are running
} Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
} section of your Exim configuration, set:
}
}   chunking_advertise_hosts =
}
} That's an empty value, nothing on the right of the equals. This
} disables advertising the ESMTP CHUNKING extension, making the BDAT verb
} unavailable and avoids letting an attacker apply the logic.

Chunking support was introduced with Exim 4.88; the current release is
4.89, 4.90 is in RC series now, it looks like a 2-line fix (written by
Jeremy Harris) is probably right for the first issue.

Public bugtracker links:

  https://bugs.exim.org/show_bug.cgi?id=2199
  https://bugs.exim.org/show_bug.cgi?id=2201

-Phil
Comment 2 Fabian Groffen gentoo-dev 2017-11-25 14:34:22 UTC
The latest report says that their PoC patch seems to mitigate the issue, that said I'll wait a bit for that to see if it can be used straight away.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-11-26 13:28:16 UTC
bugs.exim.org/2199 :
  Use-after-free remote-code-execution
  CVE-2017-16943

bugs.exim.org/2201 :
  stack-exhaustion remote DoS
  CVE-2017-16944
Comment 4 Larry the Git Cow gentoo-dev 2017-11-26 13:40:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b23d30e4db6a6e345bca3fb0a47321598aab306

commit 1b23d30e4db6a6e345bca3fb0a47321598aab306
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2017-11-26 13:40:28 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2017-11-26 13:40:28 +0000

    mail-mta/exim: add patch for CVE-2017-16943, bug #638772
    
    Bug: https://bugs.gentoo.org/638772
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 mail-mta/exim/Manifest                             |   6 +-
 mail-mta/exim/exim-4.89-r4.ebuild                  | 531 +++++++++++++++++++++
 mail-mta/exim/files/exim-4.89-CVE-2017-16943.patch |  40 ++
 3 files changed, 574 insertions(+), 3 deletions(-)}
Comment 5 Larry the Git Cow gentoo-dev 2017-11-29 08:50:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7434ec7eeb4b4be5cd53cebba9576f940b076e9

commit e7434ec7eeb4b4be5cd53cebba9576f940b076e9
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2017-11-29 08:50:07 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2017-11-29 08:50:07 +0000

    mail-mta/exim: add patch for CVE-2017-16944, bug #638772
    
    Original patch is slightly adjusted to the 4.98 codebase in order to
    apply.
    
    Bug: https://bugs.gentoo.org/638772
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 .../{exim-4.89-r4.ebuild => exim-4.89-r5.ebuild}   |  1 +
 mail-mta/exim/files/exim-4.89-CVE-2017-16944.patch | 57 ++++++++++++++++++++++
 2 files changed, 58 insertions(+)}
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 12:07:45 UTC
@ Arches,

please test and mark stable: =mail-mta/exim-4.89-r5
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 18:54:26 UTC
x86 stable
Comment 8 Fabian Groffen gentoo-dev 2017-11-30 10:37:04 UTC
FYI: 4.89.1 which is now in the tree includes:
- CVE-2017-1000369
- CVE-2017-10140 (BDB)
- CVE-2017-16943
- CVE-2017-16944

all but the BDB fix are in 4.89-r5.
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-30 11:36:17 UTC
Stable on alpha.
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-30 22:08:04 UTC
hppa/ia64/ppc/ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-12-01 11:21:19 UTC
amd64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-06 23:08:25 UTC
ommit 2c7dd6a3fcdbbeb168172f6a9cedd1ce59d9c217 (HEAD -> master, origin/master, origin/HEAD)
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Tue Feb 6 22:27:46 2018 +0100

    mail-mta/exim: stable 4.89-r5 for sparc, bug #638772
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2018-02-07 00:09:06 UTC
@maintainer(s), please clean the vulnerable versions from the tree.
Comment 14 Larry the Git Cow gentoo-dev 2018-02-07 07:41:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bc317cd39ecf7b89bb4cf9de05000e52f59110e

commit 1bc317cd39ecf7b89bb4cf9de05000e52f59110e
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2018-02-07 07:41:09 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2018-02-07 07:41:09 +0000

    mail-mta/exim: drop vulnerable version, bug #638772
    
    Bug: https://bugs.gentoo.org/638772
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 mail-mta/exim/exim-4.89-r1.ebuild | 529 --------------------------------------
 1 file changed, 529 deletions(-)}
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-02-07 23:15:13 UTC
GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-03-06 19:39:13 UTC
This issue was resolved and addressed in
 GLSA 201803-01 at https://security.gentoo.org/glsa/201803-01
by GLSA coordinator Thomas Deutschmann (whissi).