|
|
Subscribe / Log in / New account

Multiple Exim security vulnerabilities disclosed

[Posted September 30, 2023 by corbet]

The "Zero Day Initiative" site has posted a number of advisories (1, 2, 3, 4, 5, 6) describing a number of flaws in the Exim mail server, some of which are exploitable remotely. These problems, allegedly, were first reported to the project in June 2022, well over one year ago. There is some disagreement over the timing of events, with Exim developer Heiko Schlittermann claiming that no actual information was received until last May, and an anonymous ZDI representative disputing that story.

Either way, the vulnerabilities are now disclosed, but patches are not yet on offer; Schlittermann said that "Fixes are available in a protected repository and are ready to be applied by the distribution maintainers", so hopefully that situation will change soon.

to post comments

Multiple Exim security vulnerabilities disclosed

Posted Sep 30, 2023 14:47 UTC (Sat) by dskoll (subscriber, #1630) [Link] (8 responses)

Exim does not have a great track record. I know it'd be an enormous change, but I think it's time for Debian to switch to Postfix as its default MTA.

Multiple Exim security vulnerabilities disclosed

Posted Sep 30, 2023 15:54 UTC (Sat) by lordsutch (guest, #53) [Link] (1 responses)

At least in my experience, getting Postfix as your MTA instead of Exim on Debian has been very straightforward, so other than updating the default task selections I'm not sure it would be that dramatic a change for new installs. Like most things, Debian probably wouldn't switch the default MTA for existing users on upgrade though.

Multiple Exim security vulnerabilities disclosed

Posted Sep 30, 2023 16:48 UTC (Sat) by dskoll (subscriber, #1630) [Link]

Right. It's very easy to switch to Postfix, and of course an upgrade should keep the existing MTA.

I'm just saying that a switch like this would likely be a big deal for Debian given their cautious decision-making process.

Multiple Exim security vulnerabilities disclosed

Posted Sep 30, 2023 20:38 UTC (Sat) by jond (subscriber, #37669) [Link] (1 responses)

These days I think Debian defaults to no MTA at all. But insofar as there’s a default (can’t recall if there’s a task-email-server or whatever), despite being a long time exim user, I agree with you.

Multiple Exim security vulnerabilities disclosed

Posted Sep 30, 2023 22:06 UTC (Sat) by Karellen (subscriber, #67644) [Link]

I think the mail-server/task-mail-server task went away a release or two ago. But exim4-daemon-light and exim4-daemon-heavy both provide the virtual package name default-mta along with mail-transport-agent, while other MTAs (like postfix) only provide mail-transport-agent. Then packages that require a mail server (e.g. bsd-mailx) generally depend on default-mta | mail-transport-agent.

Multiple Exim security vulnerabilities disclosed

Posted Sep 30, 2023 20:58 UTC (Sat) by cmeerw (guest, #555) [Link] (2 responses)

My understanding (so far, after looking a bit into what information is publicly available about it) is that it heavily depends on the actual configuration and will probably only affect a tiny percentage of servers.

(btw, postfix might not even implement the functionality that's affected by these vulnerabilities)

Multiple Exim security vulnerabilities disclosed

Posted Oct 1, 2023 17:33 UTC (Sun) by cmeerw (guest, #555) [Link] (1 responses)

this has now been confirmed: https://www.mail-archive.com/exim-users@lists.exim.org/ms...

Multiple Exim security vulnerabilities disclosed

Posted Oct 1, 2023 19:55 UTC (Sun) by pharm (guest, #22305) [Link]

So stock Debian config is basically unaffected: CONFIG_RCPT_SPF is not set by default, there’s no NTLM auth & no external auth.

So long as your DNS resolver is sane, you’re OK it seems.

Multiple Exim security vulnerabilities disclosed

Posted Oct 13, 2023 7:34 UTC (Fri) by tsr2 (subscriber, #4293) [Link]

I ran Exim mail servers for over 15 years and there were very few security issues.

Multiple Exim security vulnerabilities disclosed

Posted Sep 30, 2023 22:03 UTC (Sat) by pharm (guest, #22305) [Link] (4 responses)

Debian security updates for exim4 are out.

Multiple Exim security vulnerabilities disclosed

Posted Sep 30, 2023 22:07 UTC (Sat) by pharm (guest, #22305) [Link] (3 responses)

Sorry, my error. Still waiting!

Multiple Exim security vulnerabilities disclosed

Posted Oct 2, 2023 10:53 UTC (Mon) by james (subscriber, #1325) [Link] (2 responses)

We go public with the available fixes (addressing a subset of the issues) on Monday, Oct 2nd, 12:00 UTC.
Heiko Schlittermann

Multiple Exim security vulnerabilities disclosed

Posted Oct 2, 2023 13:04 UTC (Mon) by pharm (guest, #22305) [Link] (1 responses)

Thanks Heiko.

Multiple Exim security vulnerabilities disclosed

Posted Oct 2, 2023 13:35 UTC (Mon) by james (subscriber, #1325) [Link]

FWIW, I'm not Heiko: I just quoted him.

I'm running 4.96.1 now, and it seems to work on a not-very-heavily-used mailserver.

Multiple Exim security vulnerabilities disclosed

Posted Oct 1, 2023 19:27 UTC (Sun) by ametlwn (subscriber, #10544) [Link] (1 responses)

Further details on the bugs' scope and mitigations can be found in Heiko's latest mail:
https://www.openwall.com/lists/oss-security/2023/10/01/4

Multiple Exim security vulnerabilities disclosed

Posted Oct 1, 2023 23:18 UTC (Sun) by Trelane (subscriber, #56877) [Link]

Thanks for this. It's by far the most useful thing I've seen on the matter.

Multiple Exim security vulnerabilities disclosed

Posted Oct 3, 2023 18:08 UTC (Tue) by Trelane (subscriber, #56877) [Link]

Update: they released exim-4.96.1 that fixes the issues.

https://www.exim.org/static/doc/security/CVE-2023-zdi.txt

Multiple Exim security vulnerabilities disclosed

Posted Oct 16, 2023 6:09 UTC (Mon) by IanKelling (subscriber, #89418) [Link]

Note: more fixes are out.


Copyright © 2023, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds