Mailing List Archive

On Fri, 29 Sep 2023, Some Guy via Exim-users wrote:

> Hi, I'm running an appliance which includes an Exim MTA and now I'm
> wondering, if I should be worried because of the RCE with CVSS 9.8
> described at the Zero Day Initiative homepage here:
>
> https://www.zerodayinitiative.com/advisories/ZDI-23-1469/

https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/?comments=1&comments-page=1
lists several CVEs.

> Apparently this has been reported first in 2022, but I'm not sure if
> this has been fixed, so a statement would be neat, haven't found
> anything on the website so far.
>
>> From their page:
> """
> September 27th, 2023
>
> (0Day) Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
>
> ZDI-23-1469
> ZDI-CAN-17434
>
> CVE ID [CVE-2023-42115](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42115)"""
> Any information on this would be highly appreciated. Thanks!

Yesterday Heiko posted
https://seclists.org/oss-sec/2023/q3/254
in one of the security lists.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

> https://seclists.org/oss-sec/2023/q3/254

i tried putting that in my exim config and it threw errors

Others have excuses, I have my reasons why...
-- Nickel Creek in "Reasons Why"

randy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Would it (temporary) help to restrict authentication via
auth_advertise_hosts?

- oliver

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, 30 Sep 2023, Randy Bush via Exim-users wrote:

>> https://seclists.org/oss-sec/2023/q3/254
>
> i tried putting that in my exim config and it threw errors

:-) I am not surprised.

I've seen some second hand reports (eg on the mailop list,
which 1) has a closed archive, and 2) seems unreachable this evening)
that the vulnerabilities are in SPA (Microsoft, NTLM) authentication and
libspf2.

Since Exim 4.97 release candidates are out for testing, I am assuming
that the fixes so far will be included when that is released as soon as
possible. Asking Jeremy and Heiko to comment further may slow this
further.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, 30 Sep 2023, Andrew C Aitchison via Exim-users:
> I've seen some second hand reports (eg on the mailop list,
> which 1) has a closed archive, and 2) seems unreachable this evening)
> that the vulnerabilities are in SPA (Microsoft, NTLM) authentication and
> libspf2.

So for authentication, only the SPA driver is affected?

- oliver

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

The Debian Bug Tracker has some hints:

https://security-tracker.debian.org/tracker/source-package/exim4

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 30/09/2023 20:07, Andrew C Aitchison via Exim-users wrote:
> the fixes so far will be included when that is released

Correct. We're allowing enough time for distros to prepare patches
for whatever distributed versions they support, and have told them
of the timeline.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Fri, 29 Sep 2023 15:17:05 +0000, Some Guy via Exim-users wrote:
> Hi, I'm running an appliance which includes an Exim MTA and now I'm wondering, if I should be worried because of the RCE with CVSS 9.8 described at the Zero Day Initiative homepage here:
>
> https://www.zerodayinitiative.com/advisories/ZDI-23-1469/

My understanding (so far, after looking a bit into what information is
publically available about it) is that it heavily depends on the
actual configuration and will probably only affect a tiny percentage
of servers.


Christof

--

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am Samstag, 30. September 2023, 10:34:14 CEST schrieb Andrew C Aitchison via
Exim-users:
> Yesterday Heiko posted
> https://seclists.org/oss-sec/2023/q3/254
> in one of the security lists.

For me, it would be helpful if at least the timelines would be properly
communicated to the users, not just that there is a timeline.

That would make the decision easier to wait for a fix or to migrate to postfix.

Thanks
Rainer

--
Rainer Dorsch
http://bokomoko.de/



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

* Rainer Dorsch via Exim-users (exim-users@lists.exim.org) [231001 15:02]:
> Am Samstag, 30. September 2023, 10:34:14 CEST schrieb Andrew C Aitchison via
> Exim-users:
> > Yesterday Heiko posted
> > https://seclists.org/oss-sec/2023/q3/254
> > in one of the security lists.
>
> For me, it would be helpful if at least the timelines would be properly
> communicated to the users, not just that there is a timeline.
>
> That would make the decision easier to wait for a fix or to migrate to postfix.

haha, funny. It's usually the same for *every* security bug in every
component: the distributors get the fixes beforehand, so that everyone
get the fixed packages at the same time. And of course, the timelines
are though usually, but being able to roll out working packages is it
worth IMHO. (The exception are just bad maintaned products, but exim
seems to do well here.)

Please note that I don't know more about exim than being an user, but
I have seen the security side as debian release manager for quite many
software products. And I doubt much that postfix would do it much
different.


Andi

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, Oct 01, 2023 at 05:50:00PM +0200, Andreas Barth via Exim-users wrote:

> I have seen the security side as debian release manager for quite many
> software products. And I doubt much that postfix would do it much
> different.

Coordinated release of security updates is standard industry practice.

The only similar CVE in Postfix is CVE-2011-1720.

https://www.postfix.org/CVE-2011-1720.html#timeline

Another CVE instead led to coordination with multiple other SMTP
implementations (really anything that involved transition from cleartext
to TLS via a STARTTLS-like mechanism). This did not involve any risk of
system compromise, just injection of pre-TLS content into the TLS
stream:

https://www.postfix.org/CVE-2011-0411.html#timeline

--
Viktor.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

I did not want to say that I want to migrate to postfix because it is handling
security issues better than exim4.

I stopped the exim4 service on servers with port 25 accessible from the
internet, but since I cannot do that for a long time, migrating to postfix
would be an emergency fix, since postfix does right now not have any open CVEs
with similar severity level.

Rainer

--
Rainer Dorsch
http://bokomoko.de/



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 1. októbra 2023 17:49:26 UTC používate? Rainer Dorsch via Exim-users <exim-users@lists.exim.org> napísal:

>I stopped the exim4 service on servers with port 25 accessible from the
>internet

Please why?

+ do you use AUTH (NTLM/EXTERNAL) on port 25?
+ do you have untrusted proxy in front?
+ you have not reliable resolver and you cannot remove dnsdb lookups from your config?
+ you cannot disable SPF checks?

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, 01 Oct 2023 19:50:43 +0000, Slavko via Exim-users wrote:
> D?a 1. októbra 2023 17:49:26 UTC používate? Rainer Dorsch via Exim-users <exim-users@lists.exim.org> napísal:
>>I stopped the exim4 service on servers with port 25 accessible from the
>>internet
>
> Please why?
>
> + do you use AUTH (NTLM/EXTERNAL) on port 25?

This was only officially confirmed today (which is very unfortunate),
https://www.zerodayinitiative.com/advisories/ZDI-23-1469/ just had
"(0Day) Exim AUTH Out-Of-Bounds Write Remote Code Execution
Vulnerability"

When I looked at it yesterday I eventually found enough information
that suggested it's only exploitable with "AUTH EXTERNAL", so wasn't
worried after I found that. But until then I was actually quite
worried as well.


Christof

--

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 1. októbra 2023 20:07:45 UTC používate? Christof Meerwald via Exim-users <exim-users@lists.exim.org> napísal:

>This was only officially confirmed today (which is very unfortunate),

That is true only in this ML, othervise it was confirmed in Friday:

https://www.openwall.com/lists/oss-security/2023/09/29/5

But yes, the communication from exim devs, about this, was not
best and leave too big space for uncertainty and panic.

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, 01 Oct 2023 20:35:48 +0000, Slavko via Exim-users wrote:
> D?a 1. októbra 2023 20:07:45 UTC používate? Christof Meerwald via Exim-users <exim-users@lists.exim.org> napísal:
>>This was only officially confirmed today (which is very unfortunate),
>
> That is true only in this ML, othervise it was confirmed in Friday:
>
> https://www.openwall.com/lists/oss-security/2023/09/29/5

Not seeing anything that CVE-2023-42115 only affects "AUTH EXTERNAL"
here...


Christof

--

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi,

a short report from our cluster:

Every system has been hit with this "test" :

2023-10-02 04:48:31 SMTP call from (hello) [152.32.233.30] dropped: too
many syntax or protocol errors (last command was "AUTH NTLM
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=",  C=EHLO,HELP,AUTH)

"TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA="  decodes to "NTLMSSP"

They try it with and without the base64 string:

2023-10-02 03:45:48 SMTP call from (XXXXXXXXXXX) [152.32.132.194]
dropped: too many syntax or protocol errors (last command was "AUTH
NTLM",  C=EHLO,AUTH)


AUTH NTLM and EXTERNAL are not supported by Exims default config in
Fedora, which leads to the above message if a "no errors allowed" policy
is in place.

"AUTH EXTERNAL" has not been tested and other attempts could not be
identified yet.

best regards,
Marius

D?a 2. 10. o 9:13 Cyborg via Exim-users napísal(a):

> 2023-10-02 04:48:31 SMTP call from (hello) [152.32.233.30] dropped: too
> many syntax or protocol errors (last command was "AUTH NTLM
> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=",  C=EHLO,HELP,AUTH)

From time to time i see these for years, the last was 12.9. thus long
time before vulnerability was published...


> "AUTH EXTERNAL" has not been tested and other attempts could not be
> identified yet.

AFAIK EXTERNAL requires TLS auth before, thus will not come from random
untrusted hosts...

regards

--
Slavko


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 02/10/2023 10:20, Slavko via Exim-users wrote:
> AFAIK EXTERNAL requires TLS auth before,

No; only if your config enforces that.
The example in the docs does, but that's not the only way to use External.

> thus will not come from random untrusted hosts...

Being able to talk TLS is everywhere. Don't trust peers only on that basis
(especially as a server).
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 2. októbra 2023 9:36:00 UTC používate? Jeremy Harris via Exim-users <exim-users@lists.exim.org> napísal:
>On 02/10/2023 10:20, Slavko via Exim-users wrote:
>> AFAIK EXTERNAL requires TLS auth before,
>
>No; only if your config enforces that.
>The example in the docs does, but that's not the only way to use External.

I want to tell, that one will not want to enable EXTERNAL AUTH for random
hosts, as there have to be some agreement between client and server about
what that external means and should to be verified by something other. That
it is possible to configure it without that doesn't matter, but will that be good
idea?

>Being able to talk TLS is everywhere. Don't trust peers only on that basis
>(especially as a server).

I didn't mean generic TLS communication, but eg. client's cert signed
and verified by private CA.

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

> Every system has been hit with this "test" :
>
> 2023-10-02 04:48:31 SMTP call from (hello) [152.32.233.30] dropped: too
> many syntax or protocol errors (last command was "AUTH NTLM
> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=", C=EHLO,HELP,AUTH)
>
> "TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=" decodes to "NTLMSSP"

First time in my logs 2022-11-03.

> They try it with and without the base64 string:
>
> 2023-10-02 03:45:48 SMTP call from (XXXXXXXXXXX) [152.32.132.194]
> dropped: too many syntax or protocol errors (last command was "AUTH
> NTLM", C=EHLO,AUTH)

First time in my logs 2022-07-10.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-10-02 Christof Meerwald via Exim-users <exim-users@lists.exim.org> wrote:
> On Sun, 01 Oct 2023 20:35:48 +0000, Slavko via Exim-users wrote:
> > D?a 1. októbra 2023 20:07:45 UTC používate? Christof Meerwald via Exim-users <exim-users@lists.exim.org> napísal:
> >>This was only officially confirmed today (which is very unfortunate),
> >
> > That is true only in this ML, othervise it was confirmed in Friday:
> >
> > https://www.openwall.com/lists/oss-security/2023/09/29/5

> Not seeing anything that CVE-2023-42115 only affects "AUTH EXTERNAL"
> here...

I am failing to find out where this was claimed to be the case?

cu Andreas

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, 2 Oct 2023 18:11:49 +0200, Andreas Metzler via Exim-users wrote:
> On 2023-10-02 Christof Meerwald via Exim-users <exim-users@lists.exim.org> wrote:
>> On Sun, 01 Oct 2023 20:35:48 +0000, Slavko via Exim-users wrote:
>> > D?a 1. októbra 2023 20:07:45 UTC používate? Christof Meerwald via Exim-users <exim-users@lists.exim.org> napísal:
>> >>This was only officially confirmed today (which is very unfortunate),
>> >
>> > That is true only in this ML, othervise it was confirmed in Friday:
>> >
>> > https://www.openwall.com/lists/oss-security/2023/09/29/5
>
>> Not seeing anything that CVE-2023-42115 only affects "AUTH EXTERNAL"
>> here...
>
> I am failing to find out where this was claimed to be the case?

https://www.mail-archive.com/exim-users@lists.exim.org/msg00529.html
seemed to imply that users should have been aware of the details when
they had to make decisions about stopping exim4:

"Please why?

+ do you use AUTH (NTLM/EXTERNAL) on port 25?"

So I was asking if these details were indeed available somewhere
before Sunday evening.


Christof

--

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 02.10.23 um 19:38 schrieb Christof Meerwald via Exim-users:
>
> "Please why?
>
> + do you use AUTH (NTLM/EXTERNAL) on port 25?"
>
> So I was asking if these details were indeed available somewhere
> before Sunday evening.

A lance for security:

The Trend Micro abstracts had already enough informations to make
exploitcoders look in the source to find the problems themself.
Any more information would have speed up this process, because it makes
it easier to locate the section of code you need to check, and we(user
and devs) don't wont this to happen, as the patches where not available yet.

As Heiko wrote, the communications with ZDI was not great( from both
sides i assume, as each side expected more from the other side), but
when you as dev get an issue report but no infos about the exploit,
configs etc, it's a pain in the ass job to find it yourself, even if you
are a longterm dev for the project.

That slowed it down massively and now, with the public advisories from
ZDI, the pressure was immense to find it in time and develope a working fix.

And: Big Thanks TEAM, 4.96.1 is running fine! (Fedora has the update ready)

best regards,
Cyborg


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/