An Update to the mitigation for the current CVE:
Add - as part of the mail ACL (the ACL referenced by the main config
option "acl_smtp_mail"):
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
This should prevent the currently known attack vector
Bes ...
On 2019-09-06 at 20:50 +0200, Sebastian Nielsen wrote:
The connect ACL won't protect you against STARTTLS usage, which is far
more common for email than TLS-on-connect
I myself use the HELO ACL
Blocking in the MAIL ACL is safe The problem is not in the TLS SNI
itself The problem relates to safely storing the SNI in spool files
for message ...
Shouldn't this be in connect ACL?
How would the deny in MAIL FROM prevent the exploit? What I have understand is that there is exploit in the SNI of the
TLS negotiation, thus the whole connect attempt must be rejected right?
-----Ursprungligt meddelande-----
Från: Exim-users <exim-users-bounces+sebastian=sebbeeu () exim org> För Heiko Sc ...
Heiko Schlittermann <hs () dmarc schlittermann de> (Fr 06 Sep 2019 12:20:39 CEST):
This should block the most popular attack vector:
In your MAIL ACL:
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
message = sorry
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann ...
Phil Pennock <pdp () exim org> (Sa 07 Sep 2019 02:52:56 CEST):
This doesn't seem to be sufficient, you can start "submitting" a message to
a remote Exim with the following sequence
connect
<-- 250
EHLO …
<-- 250
STARTTLS
<-- 220
MAIL
<-- 250
The client is free to skip the 2nd E ...
Hi,
Check this thread:
wwwopenwallcom/lists/oss-security/2019/07/22/3
wwwopenwallcom/lists/oss-security/2019/07/22/8
Cheers!
On 07/09/2019 01:33, akuster wrote: ...
Heiko Schlittermann <hs () nodmarc schlittermann de> (Mi 04 Sep 2019 11:22:48 CEST):
As I saw blocked accesses to our security repo:
If you're entitled to access our non-public security repository, please
update your "remote" The git URL is now:
ssh://git () git exim org/exim-security
ssh://git () git exim org/exim-packages-secur ...
On 9/5/19 11:00 PM, Heiko Schlittermann wrote:
If this is true, why is this on the public list?
- armin ...
On 2019-09-07 at 08:23 +0200, Heiko Schlittermann wrote:
Yeah sorry folks, that was a little embarrassing: my setup, and various
common configurations (including apparently RedHat's) enforce
EHLO-after-STARTTLS But that's Exim configuration, not hard-enforced
in the code
"Be lenient in what you accept" bah humbug
Exim's default configur ...
*** Note: EMBARGO is still in effect! ***
*** Distros must not publish any detail yet ***
Head up! Security release ahead!
CVE ID: CVE-2019-15846
Version(s): up to and including 4921
Issue: A local or remote attacker can execute programs with root
privileges
Details: Will be made public at CRD Currently there is ...
CVE ID: CVE-2019-15846
Credits: Zerons <sironhide0null () gmail com>, Qualys
Version(s): all versions up to and including 4921
Issue: The SMTP Delivery process in all¹ versions up to and
including Exim 4921 has a Buffer Overflow In the default
runtime configuration, this is exploitable with crafted S ...
[ This is a re-post w/o dmarc protection of the sender (me) ]
*** Note: EMBARGO is still in effect! ***
*** Distros must not publish any detail yet ***
In case you are entitled to access the security repo:
*and* use the 4922+fixes branch:
The branch got two new commits, fixing a small tool This tool is not
designed to process untrusted ...