[exim] Re: Exim Zero Day?
Hi, a short report from our cluster: Every system has been hit with this "test" : 2023-10-02 04:48:31 SMTP call from (hello) [152.32.233.30] dropped: too many syntax or protocol errors (last command was "AUTH NTLM TlRMTVNTUAABB4IIAAA=", C=EHLO,HELP,AUTH) "TlRMTVNTUAABB4IIAAA=" decodes to "NTLMSSP" They try it with and without the base64 string: 2023-10-02 03:45:48 SMTP call from (XXX) [152.32.132.194] dropped: too many syntax or protocol errors (last command was "AUTH NTLM", C=EHLO,AUTH) AUTH NTLM and EXTERNAL are not supported by Exims default config in Fedora, which leads to the above message if a "no errors allowed" policy is in place. "AUTH EXTERNAL" has not been tested and other attempts could not be identified yet. best regards, Marius OpenPGP_0x048770A738345DD3.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Exim Zero Day?
Dňa 2. 10. o 9:13 Cyborg via Exim-users napísal(a): 2023-10-02 04:48:31 SMTP call from (hello) [152.32.233.30] dropped: too many syntax or protocol errors (last command was "AUTH NTLM TlRMTVNTUAABB4IIAAA=", C=EHLO,HELP,AUTH) From time to time i see these for years, the last was 12.9. thus long time before vulnerability was published... "AUTH EXTERNAL" has not been tested and other attempts could not be identified yet. AFAIK EXTERNAL requires TLS auth before, thus will not come from random untrusted hosts... regards -- Slavko -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Exim Zero Day?
On 02/10/2023 10:20, Slavko via Exim-users wrote: AFAIK EXTERNAL requires TLS auth before, No; only if your config enforces that. The example in the docs does, but that's not the only way to use External. thus will not come from random untrusted hosts... Being able to talk TLS is everywhere. Don't trust peers only on that basis (especially as a server). -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: The current CVEs
Dear Exim Users,
we released the available fixes for the issues mentioned in the recent
CVEs.
See this link for a summary:
https://exim.org/static/doc/security/CVE-2023-zdi.txt
Distribution points:
- git://git.exim.org
branches:
- spa-auth-fixes (based on the current master) [commit IDs: 7bb5bc2c6
0519dcfb5 e17b8b0f1 04107e98d]
- exim-4.96+security (based on exim-4.96) [gpg signed]
- exim-4.96.1+fixes (based on exim-4.96.1 with the fixes from
exim-4.96+fixes) [gpg signed]
tags:
- exim-4.96.1 [gpg signed]
- tarballs for exim-4.96.1: https://ftp.exim.org/pub/exim/exim4/ [gpg signed]
GPG signatures are made by me (h...@schlittermann.de, or Jeremy Harris
j...@wizmail.org).
For cross-verification the SHAX sums follow:
SHA256 (exim-4.96.1.tar.bz2) =
26bbcd4f45483c7138912b4bd31022aee8abf8ac7cdff55839d7e2a9e4c60692
SHA256 (exim-4.96.1.tar.gz) =
6d06845e07c699e7dabbe1ca1edf23fe8b17083dc9fe0736f0b4a90351ac708e
SHA256 (exim-4.96.1.tar.xz) =
93ac0755c317e1fdbbea8ccb70a868876bdf3148692891c72ad0fe816767033d
SHA256 (exim-html-4.96.1.tar.bz2) =
42084c0fe3cc430eccd598beb5dff3c7742926a4a6c92d44d6836480757e1b72
SHA256 (exim-html-4.96.1.tar.gz) =
9c2d7de709def8e44b200db74b59777e6fdf2811718ff3f3ba75f1e006812e6a
SHA256 (exim-html-4.96.1.tar.xz) =
745d73e6d17fddbd0c92e55ab134ba691363ee583604038bc2fd551c70acbc6c
SHA256 (exim-pdf-4.96.1.tar.bz2) =
89b532da12560d4c3dbcada1c96d07ca0b7ae21af61c3798eada715acf081ae7
SHA256 (exim-pdf-4.96.1.tar.gz) =
b4b1d6f32ea04e44370b5de38e961c2d16580b089839bb1e1416e95be05bfd0e
SHA256 (exim-pdf-4.96.1.tar.xz) =
510c793e6b4122fa2312eaa697d90d8be4b5f8480977c3babdb35d5c1e8cfe79
SHA256 (exim-postscript-4.96.1.tar.bz2) =
7369e423b4f5b6557483da7cbd290010fdffa4ade3afa0262a47416841d47bc9
SHA256 (exim-postscript-4.96.1.tar.gz) =
3ec107687f6799f8798edecb10cc4ce45cc74aec8ed2356a87754b12a1c43782
SHA256 (exim-postscript-4.96.1.tar.xz) =
e6332d2a26cd68223d8e73180b95f63f92dc781090dccb22af2c8f1991592824
SHA512 (exim-4.96.1.tar.bz2) =
2475437b48a266b2e453808a01320fe4df499bb9e3e7d41b6283f369cfa72602a02baa9a1bcdc630987a35da9db47e09fa682dca31748f07f8bde8403d636a22
SHA512 (exim-4.96.1.tar.gz) =
3c2d387686e0b1b4d4e06718eebb5a53b6944dd818abf3f7a7d3cd1898557dac302708f5f9e2a09223cf7cb8d34b0234c1763eab9b2182fd1d9593012add02d9
SHA512 (exim-4.96.1.tar.xz) =
ef1a0e57c59cdf4e915b3ac5dcdbc69f565b14dd92b0527f6796b2c46a9ec34f991f9790fb4171c99417f7e482cdd62d77e780cc71fab227c8bed876103f7fdd
SHA512 (exim-html-4.96.1.tar.bz2) =
56fe39f66e238100e0ca62f19f08703176471cfccdb9c95368fd219f043c96da9da512418e10224514461302e1f25af0254bf810081c8b6edfe676196ffbb743
SHA512 (exim-html-4.96.1.tar.gz) =
36fea45df417e87ee7d5676ca5347d7e28cb5db70d583cf7471108a9b6fbedfdaa34793063f577dccdd9e62a8617380cb89f5f4d1891a4d05105d78655b7e588
SHA512 (exim-html-4.96.1.tar.xz) =
5519bf2056c8b4018a2e3a2d9afca0e0b1978990d3789be421d097bcae000d2d38205cd61e67bd83c27036376613c6ba69c993b6567adf3b57fdd642e9db1cc8
SHA512 (exim-pdf-4.96.1.tar.bz2) =
aefc9b6fe83c6cd74d87e7c4c448957f7bf76ec9fb94ff1620512906e84ddfae4f9445247b228d2231c6faf71e35ae0a2bf0cdcfb453bc62295694e22c597d09
SHA512 (exim-pdf-4.96.1.tar.gz) =
3f7ab2a405ebe5c2b027039dc23864bced07f757f4bda2e283b938e9786aa18c70f167990c38e85bb5cc55b433bb470ed7acb04d5a9a732eab5dffe28d07e1ee
SHA512 (exim-pdf-4.96.1.tar.xz) =
d39ee2f9a05326809a6e8454a108d717838dacfa42c2cade72f5937b1b44d70e70152fa75f4b4e9548cd4198d54f8a8c1323e14d7d1f9a0a23c99a53db1001b0
SHA512 (exim-postscript-4.96.1.tar.bz2) =
83b4f3d686d62e18da90b25d5ed2ab2ca5ff709ea16887f35a0e45dcf0ba139c02f5171008ae26879dd598a0f9d25bdc5851066375006d0a004b6a36d0ee957e
SHA512 (exim-postscript-4.96.1.tar.gz) =
dceb5f9350dbba42c4fcffb03248f7d3951d3cb8bba759b8e3d4e3cd69651ea5db0b8a692b93e2be2958ad01865efbf2dd29b5ace72058ceb2aabc17451b6834
SHA512 (exim-postscript-4.96.1.tar.xz) =
788fc9c48955ef6eb497f64bdcc75812acebe144fcb5a8b773f5a03ced66be4842f8b3e9572e0dc5d625e0de4274cefa13ae708bb8edf9ee883795271d77db82
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] recent CVE: EXTERNAL -> external?
Dear List The official communication talks of "EXTERNAL auth": Is it meant for driver = external as mentioned under [1] or any external authentication like driver = dovecot and thus written capitalized? Or does EXTERNAL refer to something completely different? Thank you for clarification. Regards, Adrian. [1] https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_external_authenticator.html signature.asc Description: This is a digitally signed message part. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Exim Zero Day?
Dňa 2. októbra 2023 9:36:00 UTC používateľ Jeremy Harris via Exim-users napísal: >On 02/10/2023 10:20, Slavko via Exim-users wrote: >> AFAIK EXTERNAL requires TLS auth before, > >No; only if your config enforces that. >The example in the docs does, but that's not the only way to use External. I want to tell, that one will not want to enable EXTERNAL AUTH for random hosts, as there have to be some agreement between client and server about what that external means and should to be verified by something other. That it is possible to configure it without that doesn't matter, but will that be good idea? >Being able to talk TLS is everywhere. Don't trust peers only on that basis >(especially as a server). I didn't mean generic TLS communication, but eg. client's cert signed and verified by private CA. regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: recent CVE: EXTERNAL -> external?
On 02/10/2023 13:44, Adrian Zaugg via Exim-users wrote: The official communication talks of "EXTERNAL auth": Is it meant for driver = external as mentioned under [1] or any external authentication like driver = dovecot and thus written capitalized? Or does EXTERNAL refer to something completely different? Thank you for clarification. There's two concepts here: a) the driver (a module within Exim), which has the lowercase word as it's label. b) the ESMTP protocol word used to negociate use of the feature. Traditionally in all-caps. For this one there's maximum confusion. The driver only handles the one method. But the "plaintext" driver (for instance) handles both LOGIN and PLAIN methods. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Exim Zero Day?
> Every system has been hit with this "test" : > > 2023-10-02 04:48:31 SMTP call from (hello) [152.32.233.30] dropped: too > many syntax or protocol errors (last command was "AUTH NTLM > TlRMTVNTUAABB4IIAAA=", C=EHLO,HELP,AUTH) > > "TlRMTVNTUAABB4IIAAA=" decodes to "NTLMSSP" First time in my logs 2022-11-03. > They try it with and without the base64 string: > > 2023-10-02 03:45:48 SMTP call from (XXX) [152.32.132.194] > dropped: too many syntax or protocol errors (last command was "AUTH > NTLM", C=EHLO,AUTH) First time in my logs 2022-07-10. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Exim Zero Day?
On 2023-10-02 Christof Meerwald via Exim-users wrote: > On Sun, 01 Oct 2023 20:35:48 +, Slavko via Exim-users wrote: > > Dňa 1. októbra 2023 20:07:45 UTC používateľ Christof Meerwald via > > Exim-users napísal: > >>This was only officially confirmed today (which is very unfortunate), > > > > That is true only in this ML, othervise it was confirmed in Friday: > > > > https://www.openwall.com/lists/oss-security/2023/09/29/5 > Not seeing anything that CVE-2023-42115 only affects "AUTH EXTERNAL" > here... I am failing to find out where this was claimed to be the case? cu Andreas -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Exim Zero Day?
On Mon, 2 Oct 2023 18:11:49 +0200, Andreas Metzler via Exim-users wrote: > On 2023-10-02 Christof Meerwald via Exim-users > wrote: >> On Sun, 01 Oct 2023 20:35:48 +, Slavko via Exim-users wrote: >> > Dňa 1. októbra 2023 20:07:45 UTC používateľ Christof Meerwald via >> > Exim-users napísal: >> >>This was only officially confirmed today (which is very unfortunate), >> > >> > That is true only in this ML, othervise it was confirmed in Friday: >> > >> > https://www.openwall.com/lists/oss-security/2023/09/29/5 > >> Not seeing anything that CVE-2023-42115 only affects "AUTH EXTERNAL" >> here... > > I am failing to find out where this was claimed to be the case? https://www.mail-archive.com/exim-users@lists.exim.org/msg00529.html seemed to imply that users should have been aware of the details when they had to make decisions about stopping exim4: "Please why? + do you use AUTH (NTLM/EXTERNAL) on port 25?" So I was asking if these details were indeed available somewhere before Sunday evening. Christof -- https://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Exim Zero Day?
Am 02.10.23 um 19:38 schrieb Christof Meerwald via Exim-users: "Please why? + do you use AUTH (NTLM/EXTERNAL) on port 25?" So I was asking if these details were indeed available somewhere before Sunday evening. A lance for security: The Trend Micro abstracts had already enough informations to make exploitcoders look in the source to find the problems themself. Any more information would have speed up this process, because it makes it easier to locate the section of code you need to check, and we(user and devs) don't wont this to happen, as the patches where not available yet. As Heiko wrote, the communications with ZDI was not great( from both sides i assume, as each side expected more from the other side), but when you as dev get an issue report but no infos about the exploit, configs etc, it's a pain in the ass job to find it yourself, even if you are a longterm dev for the project. That slowed it down massively and now, with the public advisories from ZDI, the pressure was immense to find it in time and develope a working fix. And: Big Thanks TEAM, 4.96.1 is running fine! (Fedora has the update ready) best regards, Cyborg -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Exim Zero Day?
Dňa 2. októbra 2023 17:38:02 UTC používateľ Christof Meerwald via Exim-users napísal: >So I was asking if these details were indeed available somewhere >before Sunday evening. Yes, it was. I don't remember exactly where, because (as here was silence officially) i tried various sources. Perhaps it was mentioned on IRC by Jeremy... I remember only, that i know that on saturday and thus i was more interested in other two issues. I got important details on IRC about them at sunday afternoon from Jeremy and Heiko. When official response was published, it was only confirmation (for me) that i collected proper info + some more details. regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Exim Zero Day?
On Mon, 2 Oct 2023 20:54:56 +0200, Cyborg via Exim-users wrote: > That slowed it down massively and now, with the public advisories from > ZDI, the pressure was immense to find it in time and develope a working fix. But my understanding here is that fixes were actually already done in May 2023, see https://git.exim.org/exim.git/commit/7bb5bc2c6592e062bf0b514cc71afd2d93e2e0dd Auths: fix possible OOB write in external authenticator. Bug 2999 author Jeremy Harris Thu, 11 May 2023 19:02:43 +0200 (18:02 +0100) committer Jeremy Harris Tue, 26 Sep 2023 20:07:46 +0200 (19:07 +0100) similar for the other fixes that were made available today. Christof -- https://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
