21 komoly bugot (köztük remote root) fedeztek fel az Exim MTA-ban

Címkék
The current Exim versions (and likely older versions too) suffer from several exploitable vulnerabilities. These vulnerabilities were reported by Qualys via security@exim.org back in October 2020. Due to several internal reasons it took more time than usual for the Exim development team to work on these reported issues in a timely manner.

A 21 bug listája:

Qualys Security Advisory

21Nails: Multiple vulnerabilities in Exim

========================================================================
Contents
========================================================================

Summary
Local vulnerabilities

- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Exim's spool directory
- CVE-2020-28014: Arbitrary file creation and clobbering
- CVE-2021-27216: Arbitrary file deletion
- CVE-2020-28011: Heap buffer overflow in queue_run()
- CVE-2020-28010: Heap out-of-bounds write in main()
- CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
- CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
- CVE-2020-28015: New-line injection into spool header file (local)
- CVE-2020-28012: Missing close-on-exec flag for privileged pipe
- CVE-2020-28009: Integer overflow in get_stdinput()

Remote vulnerabilities
- CVE-2020-28017: Integer overflow in receive_add_recipient()
- CVE-2020-28020: Integer overflow in receive_msg()
- CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
- CVE-2020-28021: New-line injection into spool header file (remote)
- CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
- CVE-2020-28026: Line truncation and injection in spool_read_header()
- CVE-2020-28019: Failure to reset function pointer after BDAT error
- CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
- CVE-2020-28018: Use-after-free in tls-openssl.c
- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

További részletek itt.

Hozzászólások

the mail transfer agent (MTA) responsible for 60% of internet mail traffic

/me meglepődött itt ^^^

trey @ gépház

Konkretan el sem hiszem azt a 60%-ot ( mail traffic )

Meg azt is nehezen hiszem hogy az osszes SMTP szerver 60%-a Exim

Erre alapozzak : http://www.securityspace.com/s_survey/data/man.202103/mxsurvey.html , de valoszinuleg torzitja a rengeted cPanel szerver, alap Exim-el, viszont tapasztalatom szerint 90%-an nincs mail forgalom .

Mindenesetre erdekes lesz a CentOS 6 + 8 es cpanel miatt . Sok CentOS 6 & cpanel gazda a CentOS 8 cpanel altali tamogatasara vart, amibol nem lett semmi. Viszont CentOS7 + cpanelre migralni sem nagyon elonyos most , igy vart mindenki a csodara - esetleg gyors Ubuntu/Debian tamogatasra .

All versions before Exim-4.94.2 are vulnerable.

s akkó... micsinálunk a debi 10zel? amiben 4.92-8+deb10u5 van 

Néhány napja javították a Debian-ban:

$ zcat /usr/share/doc/exim4/changelog.Debian.gz | less

exim4 (4.92-8+deb10u6) buster-security; urgency=high

  * Fix several security vulnerabilities reported by Qualys and add related
    robustness improvements. (Originally fixed in upstream release 4.94.3 and
    in upstream GIT branch exim-4.92.3+fixes. (Special thanks to Heiko)
    + CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()
    + CVE-2020-28018: Use-after-free in tls-openssl.c
    + CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
    + CVE-2020-28010: Heap out-of-bounds write in main()
    + CVE-2020-28011: Heap buffer overflow in queue_run()
    + CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
    + CVE-2020-28017: Integer overflow in receive_add_recipient()
    + CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
    + CVE-2020-28026: Line truncation and injection in spool_read_header()
    + CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header
      file.
    + CVE-2020-28009: Integer overflow in get_stdinput()
    + CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
    + CVE-2020-28012: Missing close-on-exec flag for privileged pipe
    + CVE-2020-28019: Failure to reset function pointer after BDAT error
    + CVE-2020-28007: Link attack in Exim's log directory
    + CVE-2020-28008: Assorted attacks in Exim's spool directory
    + CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering,
      and deletion.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 01 May 2021 11:42:39 +0200

Lassan kinyomozzuk. Újabb adalék a /var/log/apt/histrory.log -ból:

Start-Date: 2021-05-05  06:30:11
Commandline: /usr/bin/unattended-upgrade
Upgrade: exim4-base:amd64 (4.92-8+deb10u5, 4.92-8+deb10u6), exim4:amd64 (4.92-8+deb10u5, 4.92-8+deb10u6)
End-Date: 2021-05-05  06:30:16

Ma hajnalban települt automatikusan.