Re: [mailop] Exim patches / vulnerabilities
On 2021-05-04 at 18:05 +0200, Raymond Dijkxhoorn wrote: > Have fun patching! > > Bye, Raymond Thanks Raymond See as well https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server This has been a coordinated disclosure, hopefully those running Exim in production will have upstream packages ready to install and little trouble in the process. An interesting point is that all of us will probably start receiving Exim exploits in a few days/weeks, when attackers begin to figure out the exploits. I have yet to study the full Qualys technical writeup, but it would be interesting if it turns out to be possible to detect when a client attempts to exploit them. Best ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Exim patches / vulnerabilities
Hi! Just a heads up : https://www.qualys.com/2021/05/04/21nails/21nails.txt Qualys Security Advisory 21Nails: Multiple vulnerabilities in Exim Contents Summary Local vulnerabilities - CVE-2020-28007: Link attack in Exim's log directory - CVE-2020-28008: Assorted attacks in Exim's spool directory - CVE-2020-28014: Arbitrary file creation and clobbering - CVE-2021-27216: Arbitrary file deletion - CVE-2020-28011: Heap buffer overflow in queue_run() - CVE-2020-28010: Heap out-of-bounds write in main() - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() - CVE-2020-28015: New-line injection into spool header file (local) - CVE-2020-28012: Missing close-on-exec flag for privileged pipe - CVE-2020-28009: Integer overflow in get_stdinput() Remote vulnerabilities - CVE-2020-28017: Integer overflow in receive_add_recipient() - CVE-2020-28020: Integer overflow in receive_msg() - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() - CVE-2020-28021: New-line injection into spool header file (remote) - CVE-2020-28022: Heap out-of-bounds read and write in extract_option() - CVE-2020-28026: Line truncation and injection in spool_read_header() - CVE-2020-28019: Failure to reset function pointer after BDAT error - CVE-2020-28024: Heap buffer underflow in smtp_ungetc() - CVE-2020-28018: Use-after-free in tls-openssl.c - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() Acknowledgments Timeline Summary We recently audited central parts of the Exim mail server (https://en.wikipedia.org/wiki/Exim) and discovered 21 vulnerabilities (from CVE-2020-28007 to CVE-2020-28026, plus CVE-2021-27216): 11 local vulnerabilities, and 10 remote vulnerabilities. Unless otherwise noted, all versions of Exim are affected since at least the beginning of its Git history, in 2004. Have fun patching! Bye, Raymond ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
