Mailing List Archive: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges.

CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges.

Sep 4, 2019, 2:22 AM

Post #1 of 4 (2681 views)

*** Note: EMBARGO is still in effect! ***
*** Distros must not publish any detail yet ***

Head up! Security release ahead!

CVE ID: CVE-2019-15846
Version(s): up to and including 4.92.1
Issue: A local or remote attacker can execute programs with root
privileges.
Details: Will be made public at CRD. Currently there is no known
exploit, but a rudimentary POC exists.

Coordinated Release Date (CRD) for Exim 4.92.2:
2019-09-06 10:00 UTC

Contact: security@exim.org

Proposed Timeline
=================

2019-09-03:
- initial notification to distros@openwall.org and
exim-maintainers@exim.org

2019-09-04: <-- NOW
- This Heads-up notice to oss-security@lists.openwall.com,
exim-users@exim.org, and exim-announce@exim.org

2019-09-06 10:00 UTC:
- Coordinated relase date
- Notice to oss-security, exim-users, and exim-announce
- Publish the patches in our official and public Git repositories
and the packages on our FTP server.

Downloads available starting at CRD (not yet)
=============================================

The downloads are not yet available. They will be made available
at the above mentioned CRD.

Release tarballs (exim-4.92.2):

https://ftp.exim.org/pub/exim/exim4/

The package files are signed with my GPG key.

The full Git repo:

https://git.exim.org/exim.git
https://github.com/Exim/exim [mirror of the above]
- tag exim-4.92.2
- branch exim-4.92.2+fixes

The tagged commit is the officially released version. The tag is signed
with my GPG key. The +fixes branch isn't officially maintained, but
contains useful patches *and* the security fix. The relevant commit is
signed with my GPG key. The old exim-4.92.1+fixes branch is being functionally
replaced by the new exim-4.92.2+fixes branch.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Re: [oss-security] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. [ In reply to ]

exim-announce at exim

Sep 4, 2019, 3:46 AM

Post #2 of 4 (2681 views)

Permalink

Heiko Schlittermann <hs@nodmarc.schlittermann.de> (Mi 04 Sep 2019 11:22:48 CEST):
> *** Note: EMBARGO is still in effect! ***
> *** Distros must not publish any detail yet ***

As I saw blocked accesses to our security repo:

If you're entitled to access our non-public security repository, please
update your "remote". The git URL is now:

ssh://git@git.exim.org/exim-security
ssh://git@git.exim.org/exim-packages-security

(We addedd the -security suffix.)

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Re: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. [ In reply to ]

exim-announce at exim

Sep 5, 2019, 10:40 PM

Post #3 of 4 (2607 views)

Permalink

*** Note: EMBARGO is still in effect! ***
*** Distros must not publish any detail yet ***

In case you are entitled to access the security repo:
*and* use the 4.92.2+fixes branch:

The branch got two new commits, fixing a small tool. This tool is not
designed to process untrusted data, so there is no security issue, but
it was buggy. It is unlikely to be critical.

You may consider including the fix in the packages to be
released at CRD (today, 10.00 UTC) or schedule it for a later
maintainance release of the Exim packages.

commit cdc7f9a9667ecf31d803fc8d1a31b466284360bd
Author: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Date: Fri Sep 6 06:57:11 2019 +0200

commit 66935633816a88460f5222f40dc29d1a4e877978
Author: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Date: Thu Sep 5 14:56:22 2019 +0200

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Re: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges. [ In reply to ]

exim-announce at exim

Sep 6, 2019, 3:44 AM

Post #4 of 4 (2607 views)

Permalink

Heiko Schlittermann <hs@dmarc.schlittermann.de> (Fr 06 Sep 2019 12:20:39 CEST):
> Mitigation
> ==========
>
> Do not offer TLS for incomming connections (tls_advertise_hosts).
> This mitigation is *not* recommended!

This should block the most popular attack vector:

In your MAIL ACL:

deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
message = sorry

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Mailing List Archive

Attached Files:

Attached Files:

Attached Files:

Attached Files: