Exim upgrade to 4.92.3 needed for multiple CVEs
Brian Inglis
Brian.Inglis@SystematicSw.ab.ca
Fri Oct 4 08:16:00 GMT 2019
On 2019-09-20 11:10, Brian Inglis wrote:
> Exim official upgrade to 4.92.2 urgently needed to include patch for published CVE:
> https://securityboulevard.com/2019/09/sysadmins-scramble-to-secure-5m-exim-email-servers/
> https://exim.org/static/doc/security/CVE-2019-15846.txt
https://access.redhat.com/security/security-updates/#/cve?q=exim&p=1&sort=cve_publicDate%20desc&rows=100&documentKind=Cve
Since the "current" 4.86 release in 2015-10, another CVE another upgrade required:
https://access.redhat.com/security/cve/cve-2019-16928
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability
than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in
string.c involving a long EHLO command.
http://exim.org/static/doc/security/CVE-2019-16928.txt
Also earlier this year:
https://access.redhat.com/security/cve/cve-2019-15846
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via
a trailing backslash.
https://exim.org/static/doc/security/CVE-2019-15846.txt
https://access.redhat.com/security/cve/cve-2019-13917
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in
some unusual configurations that use the ${sort} expansion for items that can be
controlled by an attacker (e.g., $local_part or $domain).
https://exim.org/static/doc/security/CVE-2019-13917.txt
https://access.redhat.com/security/cve/cve-2019-10149
A flaw was found in the way exim validated recipient addresses. A remote
attacker could use this flaw to execute arbitrary commands on the exim server
with the permissions of the user running the application.
https://exim.org/static/doc/security/CVE-2019-10149.txt
and last:
https://access.redhat.com/security/cve/cve-2018-6789
An issue was discovered in the base64d function in the SMTP listener in Exim
before 4.90.1. By sending a handcrafted message, a buffer overflow may happen.
This can be used to execute code remotely.
https://exim.org/static/doc/security/CVE-2018-6789.txt
and:
https://access.redhat.com/security/cve/cve-2017-16944
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
allows remote attackers to cause a denial of service (infinite loop and stack
exhaustion) via vectors involving BDAT commands and an improper check for a '.'
character signifying the end of the content, related to the bdat_getc function.
https://access.redhat.com/security/cve/cve-2017-16943
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
allows remote attackers to execute arbitrary code or cause a denial of service
(use-after-free) via vectors involving BDAT commands.
Mitigation
if you are running Exim 4.88 or newer, then in the main section of your Exim
configuration, set:
chunking_advertise_hosts =
This disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.
https://access.redhat.com/security/cve/cve-2017-1000369
Exim supports the use of multiple "-p" command line arguments which are
malloc()'ed and never free()'ed, used in conjunction with other issues allows
attackers to cause arbitrary code execution. This affects exim version 4.89 and
earlier. Please note that at this time upstream has released a patch, but it is
not known if a new point release is available that addresses this issue at this
time.
Statement
Exim itself is not vulnerable to privilege escalation, but this particular flaw
in exim can be used by the stackguard vulnerability
(https://access.redhat.com/security/vulnerabilities/stackguard) to achieve
privilege escalation.
https://access.redhat.com/security/cve/cve-2016-9963
It was found that Exim leaked DKIM signing private keys to the "mainlog" log
file. As a result, an attacker with access to system log files could potentially
access these leaked DKIM private keys.
http://exim.org/static/doc/security/CVE-2016-9963.txt
https://access.redhat.com/security/cve/cve-2016-1531
Exim before 4.86.2, when installed setuid root, allows local users to gain
privileges via the perl_startup argument.
http://exim.org/static/doc/security/CVE-2016-1531.txt
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
More information about the Cygwin-apps
mailing list