Hello all, This was reported today on oss-security. I just wanted to forward this along to our list in case any folks here run an Exim server affected by this and don't subscribe to oss-security. This RCE exploit affects Exim versions 4.88 and 4.89. To quote Phil Pennock on the Exim mailing list... On 2017-11-24 22:59:12, Phil Pennock wrote:
...
Remote code execution in the first vulnerability, getting execution as the Exim run-time user.
A complete mitigation is to disable advertising the CHUNKING extension, in which case an attempt to use the BDAT verb should result in:
503 BDAT command used when CHUNKING not advertised
The instructions I wrote in the mail to our announce-list, were:
With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set:
chunking_advertise_hosts =
That's an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic.
Chunking support was introduced with Exim 4.88; the current release is 4.89, 4.90 is in RC series now, it looks like a 2-line fix (written by Jeremy Harris) is probably right for the first issue.
Public bugtracker links:
https://bugs.exim.org/show_bug.cgi?id=2199 https://bugs.exim.org/show_bug.cgi?id=2201
-- Aaron Ball :: https://oper.io \0
participants (1)
-
Aaron Ball