Re: [mailop] Zero-day RCE for exim - whacky stats?

[Christof Meerwald via mailop]

On Mon, Oct 02, 2023 at 04:40:51PM +0200, Frank Heydlauf via mailop wrote:
> Hi Christof, folx,
> 
> On Sun, Oct 01, 2023 at 07:51:04PM +0200, Christof Meerwald via mailop wrote:
> > On Sat, Sep 30, 2023 at 10:45:41PM +0200, Christof Meerwald wrote:
> > > On Sat, Sep 30, 2023 at 08:36:02AM +0100, Andrew C Aitchison via mailop 
> > > wrote:
> ...
> > > having any inside knowledge) is that it heavily depends on your
> > > configuration and only a tiny percentage of servers will be affected
> > > (this includes CVE-2023-42115).
> > 
> > see https://www.mail-archive.com/exim-users@lists.exim.org/msg00526.html
> 
> I find the specification of "EXTERNAL auth" to be rather vague. 
> At least for people who don't work on the exim code all the time.
> 
> Is that what is meant?
> 
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_external_authenticator.html

Yes


Christof

-- 

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org   xmpp:cmeerw at cmeerw.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Frank Heydlauf via mailop]

Hi Christof, folx,

On Sun, Oct 01, 2023 at 07:51:04PM +0200, Christof Meerwald via mailop wrote:
> On Sat, Sep 30, 2023 at 10:45:41PM +0200, Christof Meerwald wrote:
> > On Sat, Sep 30, 2023 at 08:36:02AM +0100, Andrew C Aitchison via mailop 
> > wrote:
...
> > having any inside knowledge) is that it heavily depends on your
> > configuration and only a tiny percentage of servers will be affected
> > (this includes CVE-2023-42115).
> 
> see https://www.mail-archive.com/exim-users@lists.exim.org/msg00526.html


I find the specification of "EXTERNAL auth" to be rather vague. 
At least for people who don't work on the exim code all the time.

Is that what is meant?

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_external_authenticator.html


Greets
Frank
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Christof Meerwald via mailop]

On Sat, Sep 30, 2023 at 10:45:41PM +0200, Christof Meerwald wrote:
> On Sat, Sep 30, 2023 at 08:36:02AM +0100, Andrew C Aitchison via mailop wrote:
> > On Sat, 30 Sep 2023, Jay R. Ashworth via mailop wrote:
> > > I haven't even heard exim *mentioned* in like 20 years; these stats can't 
> > > be
> > > right, can they?
> > > 
> > > https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/
> > 
> > https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/?comments=1
> > 
> > gives a more plausible stat.
> 
> The question is how many of those exim servers are actually vulnerable.
> 
> My understanding (after looking a bit into these issues, but not
> having any inside knowledge) is that it heavily depends on your
> configuration and only a tiny percentage of servers will be affected
> (this includes CVE-2023-42115).

see https://www.mail-archive.com/exim-users@lists.exim.org/msg00526.html


Christof

-- 

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org   xmpp:cmeerw at cmeerw.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Christof Meerwald via mailop]

On Sat, Sep 30, 2023 at 08:36:02AM +0100, Andrew C Aitchison via mailop wrote:
> On Sat, 30 Sep 2023, Jay R. Ashworth via mailop wrote:
> > I haven't even heard exim *mentioned* in like 20 years; these stats can't be
> > right, can they?
> > 
> > https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/
> 
> https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/?comments=1
> 
> gives a more plausible stat.

The question is how many of those exim servers are actually vulnerable.

My understanding (after looking a bit into these issues, but not
having any inside knowledge) is that it heavily depends on your
configuration and only a tiny percentage of servers will be affected
(this includes CVE-2023-42115).


Christof

-- 

https://cmeerw.org sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org   xmpp:cmeerw at cmeerw.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Heiko Schlittermann via mailop]

John Levine via mailop  (Sa 30 Sep 2023 21:14:31 CEST):
> There seems to be significant disagreement about how serious these
> bugs are and whether they'r really in Exim. The fact that the zeroday
> people didn't notice that libspf2 is a separate package makes it
> easy to believe that they're not all Exim bugs.

Indeed, there is one issue that looks like it should be filed against
libspf2. A PR is there, but I'm unsure if and how distros will integrate
this. Exim uses libspf2 as a shared lib, and relies on the version
installed locally.

https://github.com/shevek/libspf2/pull/44

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[John Levine via mailop]

It appears that Simon Arlott via mailop  said:
>On 30/09/2023 08:50, Andrew C Aitchison via mailop wrote:
>> I see that there is an Exim release candidate out on test at the moment
>>https://lists.exim.org/lurker/message/20230926.174111.cb403675.en.html
>> but know nothing about whether it fixes any of these vulnerabilities.
>
>It doesn't fix the vulnerabilities. 

This says "Fixes are available in a protected repository and are ready to be
applied by the distribution maintainers."

https://seclists.org/oss-sec/2023/q3/254

There seems to be significant disagreement about how serious these
bugs are and whether they'r really in Exim. The fact that the zeroday
people didn't notice that libspf2 is a separate package makes it
easy to believe that they're not all Exim bugs.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Eduardo Diaz Comellas via mailop]

We use exim extensively. It is a software piece we learned to tune and 
love :)


It has a relatively good security history and allows a lot of 
customization.


Best regards

On 30/9/23 6:58, Jay R. Ashworth via mailop wrote:

I haven't even heard exim *mentioned* in like 20 years; these stats can't be
right, can they?

https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/

Hat tip: Lauren @ Privacy

Cheers,
-- jra


--

Eduardo Diaz Comellas ed...@ultreia.es
Ultreia Comunicaciones, S.L.  --- Tlf: 986243324

AVISO LEGAL-LOPD Para ver la política de protección de datos, consulte 
https://ultreia.es/aviso-legal/
MEDIO AMBIENTE Antes de imprimir este correo, piense si es necesario. El 
medio ambiente es cosa de todos.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Bill Cole via mailop]

On 2023-09-30 at 03:36:02 UTC-0400 (Sat, 30 Sep 2023 08:36:02 +0100 
(BST))

Andrew C Aitchison via mailop 
is rumored to have said:


On Sat, 30 Sep 2023, Jay R. Ashworth via mailop wrote:

I haven't even heard exim *mentioned* in like 20 years; these stats 
can't be

right, can they?

https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/


https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/?comments=1

gives a more plausible stat.


The discrepancy is almost certainly an artifact of Exim being used so 
widely in cPanel.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Carsten Schiefner via mailop]

On 30.09.2023 10:35, Carsten Schiefner via mailop wrote:

[...]

But would you happen to have any more details wrt. the withholding and 
the 50%?


[Link to https://seclists.org/oss-sec/2023/q3/254]

Thanks, Simon & Andrew!
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Slavko via mailop]

Ahoj,

Dňa Sat, 30 Sep 2023 10:19:01 +0100 Simon Arlott via mailop
 napísal:

> "< jgh> one's in the resolver library.  I find it questionable that
> it's being raised against Exim, as if we have to protect ourselves
> against a library.  But AFAIK it's still open.
> 
> < jgh> whatever the system resolver library accesed via res_search()
> is"

Just to clarify, that are citations of one exim's dev from IRC...

regards

-- 
Slavko
https://www.slavino.sk


pgpAuyOv_9oHZ.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Andrew C Aitchison via mailop]

On Sat, 30 Sep 2023, Carsten Schiefner via mailop wrote:


Hi Simon,

On 30.09.2023 10:18, Simon Arlott via mailop wrote:

On 30/09/2023 08:50, Andrew C Aitchison via mailop wrote:

I see that there is an Exim release candidate out on test at the moment
https://lists.exim.org/lurker/message/20230926.174111.cb403675.en.html
but know nothing about whether it fixes any of these vulnerabilities.


It doesn't fix the vulnerabilities. The fixes are being withheld until
the release of 4.97 and only cover the 50% of the reported
vulnerabilities (those that affect the SPA authenticator).


thanks - that clarifies it with a bit of a time perspective.

But would you happen to have any more details wrt. the withholding and the 
50%?


https://seclists.org/oss-sec/2023/q3/254
"The remaining issues are debatable or miss information we need to fix them."

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Simon Arlott via mailop]

On 30/09/2023 09:35, Carsten Schiefner via mailop wrote:
> But would you happen to have any more details wrt. the withholding and 
> the 50%?

https://seclists.org/oss-sec/2023/q3/254


"< jgh> one's in the resolver library.  I find it questionable that it's
being raised against Exim, as if we have to protect ourselves against a
library.  But AFAIK it's still open.

< jgh> whatever the system resolver library accesed via res_search() is"

I assume this is https://www.zerodayinitiative.com/advisories/ZDI-23-1473/


"< jgh> one's in SPA.  Status unknown; I couldn't trace the alleged
notification to us
< jgh> (could be just the library, again)"

I assume this is https://www.zerodayinitiative.com/advisories/ZDI-23-1471/


There are no comments related to this one, but it incorrectly describes
Exim as the vendor for libspf2:

https://www.zerodayinitiative.com/advisories/ZDI-23-1472/

-- 
Simon Arlott

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Carsten Schiefner via mailop]

Hi Simon,

On 30.09.2023 10:18, Simon Arlott via mailop wrote:

On 30/09/2023 08:50, Andrew C Aitchison via mailop wrote:

I see that there is an Exim release candidate out on test at the moment
https://lists.exim.org/lurker/message/20230926.174111.cb403675.en.html
but know nothing about whether it fixes any of these vulnerabilities.


It doesn't fix the vulnerabilities. The fixes are being withheld until
the release of 4.97 and only cover the 50% of the reported
vulnerabilities (those that affect the SPA authenticator).


thanks - that clarifies it with a bit of a time perspective.

But would you happen to have any more details wrt. the withholding and 
the 50%?


Thanks & best,

-C.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Andrew C Aitchison via mailop]

On Sat, 30 Sep 2023, Jay R. Ashworth via mailop wrote:


I haven't even heard exim *mentioned* in like 20 years; these stats can't be
right, can they?

https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/


https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/?comments=1

gives a more plausible stat.

[ A quick grep suggests 12 other mailop threads this year have mentioned exim. ]

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Simon Arlott via mailop]

On 30/09/2023 08:50, Andrew C Aitchison via mailop wrote:
> I see that there is an Exim release candidate out on test at the moment
>https://lists.exim.org/lurker/message/20230926.174111.cb403675.en.html
> but know nothing about whether it fixes any of these vulnerabilities.

It doesn't fix the vulnerabilities. The fixes are being withheld until
the release of 4.97 and only cover the 50% of the reported
vulnerabilities (those that affect the SPA authenticator).

-- 
Simon Arlott

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Andrew C Aitchison via mailop]

On Sat, 30 Sep 2023, Andrew C Aitchison wrote:


On Sat, 30 Sep 2023, Jay R. Ashworth via mailop wrote:

I haven't even heard exim *mentioned* in like 20 years; these stats can't 
be right, can they?


https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/


https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/?comments=1

gives a more plausible stat.


I see that there is an Exim release candidate out on test at the moment
  https://lists.exim.org/lurker/message/20230926.174111.cb403675.en.html
but know nothing about whether it fixes any of these vulnerabilities.

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Zero-day RCE for exim - whacky stats?

[Mary via mailop]

they are correct

consider the millions of systems using cPanel, which uses Exim by default. 
cPanel is the primary virtual hosting software across the world.

what worries me more, is that there is no patch...



On Sat, 30 Sep 2023 04:58:56 + (UTC) "Jay R. Ashworth via mailop" 
 wrote:

> I haven't even heard exim *mentioned* in like 20 years; these stats can't be
> right, can they?
> 
> https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/
> 
> Hat tip: Lauren @ Privacy
> 
> Cheers,
> -- jra
> 
> -- 
> Jay R. Ashworth  Baylink   
> j...@baylink.com
> Designer The Things I Think   RFC 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Zero-day RCE for exim - whacky stats?

[Jay R. Ashworth via mailop]

I haven't even heard exim *mentioned* in like 20 years; these stats can't be
right, can they?

https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/

Hat tip: Lauren @ Privacy

Cheers,
-- jra

-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop