Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges.

Sat, 07 Sep 2019 01:45:23 -0700 



On 9/7/19 9:51 AM, Heiko Schlittermann via Exim-users wrote:

Marco Gaiarin via Exim-users <[email protected]> (Fr 06 Sep 2019 23:42:03 
CEST):

Mandi! Heiko Schlittermann via Exim-users
   In chel di` si favelave...


Add - as part of the mail ACL (the ACL referenced by the main config
option "acl_smtp_mail"):
      deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
      deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}


For very old exim, eg 4.80, there's no _in_ and _out_ variables, so:

       deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_sni}}}}
       deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_peerdn}}}}



And, if your Exim is linked against GnuTLS there is no $tls_sni variable
at all. But - to my knowledge - the exploitable string is written to the
-H spool file anyway (and read back).



On Debian 7, 8, 9 (exim is linked against gnutls) and there is $tls_sni 
option. On Debian 8, 9 also there is $tls_in_sni option (as expected).


(Debian 6, 4.72, no $tls_sni, no $tls_in_sni)

# exim4 -bV
Exim version 4.72 #1 built 13-Jul-2014 21:26:25
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 4.8.30: (April  9, 2010)

Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS 
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb 
dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite

Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa

Routers: accept dnslookup ipliteral iplookup manualroute queryprogram 
redirect

Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
GnuTLS compile-time version: 2.8.6
GnuTLS runtime version: 2.8.6
Configuration file is /var/lib/exim4/config.autogenerated

# exim4 -be '$tls_sni'
Failed: unknown variable name "tls_sni"


(Debian 7, 4.80, no $tls_in_sni)

# exim4 -bV
Exim version 4.80 #2 built 10-Feb-2018 15:37:26
Copyright (c) University of Cambridge, 1995 - 2012

(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 
- 2012

Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)

Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS 
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm 
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql 
sqlite

Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa

Routers: accept dnslookup ipliteral iplookup manualroute queryprogram 
redirect

Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

# exim4 -be '$tls_sni'

#
# exim4 -be '$tls_in_sni'
Failed: unknown variable name "tls_in_sni"
#


(Debian 8)

# exim4 -bV
Exim version 4.84_2 #1 built 05-Sep-2019 20:48:19
Copyright (c) University of Cambridge, 1995 - 2014

(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 
- 2014

Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)

Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS 
move_frozen_messages Content_Scanning DKIM Old_Demime PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm 
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql 
sqlite

Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa

Routers: accept dnslookup ipliteral iplookup manualroute queryprogram 
redirect

Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

# exim4 -be '$tls_sni'

#
# exim4 -be '$tls_in_sni'

#



(Debian 9)

# exim4 -bV
Exim version 4.89 #1 built 03-Sep-2019 18:01:38
Copyright (c) University of Cambridge, 1995 - 2017

(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 
- 2017

Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)

Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS 
move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PRDR PROXY 
SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm 
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql 
sqlite

Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls

Routers: accept dnslookup ipliteral iplookup manualroute queryprogram 
redirect

Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# exim4 -be '$tls_sni'

#
# exim4 -be '$tls_in_sni'

#

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


























					Reply via email to