From 5a8fc079931410b30889e69f890857b05ca8d4b2 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 24 Dec 2023 19:47:22 +0000 Subject: [PATCH] Docs: Security release. Bug 3063 --- doc/doc-txt/ChangeLog | 62 +++------------------------------- doc/doc-txt/cve-2023-51766 | 69 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+), 58 deletions(-) create mode 100644 doc/doc-txt/cve-2023-51766 diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 97468abe7..c88454c1e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -2,67 +2,13 @@ This document describes *changes* to previous versions, that might affect Exim's operation, with an unchanged configuration file. For new options, and new features, see the NewStuff file next to this ChangeLog. -Exim version 4.98 ------------------ - -JH/01 Support list of dkim results in the dkim_status ACL condition, making - it more usable in the data ACL. - -JH/02 Bug 3040: Handle error on close of the spool data file during reception. - Previously This was only logged, on the assumption that errors would be - seen for a previous fflush(). However, a fuse filesystem has been - reported as showing this an error for the fclose(). The spool is now in - an uncertain state, and we have logged and responded acceptance. Change - this to respond with a temp-reject, wipe spoolfiles, and log the error - detail. - -JH/03 Bug 3030: Fix handling of DNS servfail respons for DANE TLSA. When hit - during a recipient verify callout, a QUIT command was attempted on the - now-closed callout channel, causing a paniclog entry. - -JH/04 Bug 3039: Fix handling of of an empty log_reject_target, with - a connection_reject log_selector, under tls_on_connect. Previously - with this combination, when the connect ACL rejected, a spurious - paniclog entry was made. - -JH/05 Fix TLS resumption for TLS-on-connect. This was broken by the advent - of loadbalancer-detection for resumption, in 4.96 - which tries to - use the EHLO response. SMTPS does not have one at the time it is starting - TLS. Change the default for the smtp transport host_name_extract option - to be a static string, for TLS-on-connect cases; meaning that resumption - will always be attempted (unless deliberately overriden). - -JH/06 Bug 3054: Fix dnsdb lookup for a TXT record with multiple chunks, with a - chunk-separator specification. This was broken by hardening introduced - for Bug 3031. - -JH/07 Bug 3050: Fix -bp for old message_id format spoolfiles. Previously it - included the -H with the id; this also messed up exiqgrep. - -JH/08 Bug 3056: Tighten up parsing of DKIM DNS records. Previously, whitespace - was not properly skipped and empty elements would cause mis-parsing. - Tighten parsing of DKIM header records. Previously, all but lowercase - alpha chars would be ignored in potential tag names. - -JH/09 Bug 3057: Add heuristic for spotting mistyped IPv6 addresses in lists - being searched. Previously we only had one for IPv4 addresses. Per the - documentation, the error results by default in a no-match result for the - list. It is logged if the unknown_in_list log_selector is used. - -JH/10 Bug 3058: Ensure that a failing expansion in a router "set" option defers - the routing operation. Previously it would silently stop routing the - message. +Since Exim version 4.97 +----------------------- -JH/11 Bug 3046: Fix queue-runs. Previously, the arrivel of a notification or - info-request event close in time to a scheduled run timer could result in - the latter being missed, and no further queue scheduled runs being - initiated. This ouwld be more likely on high-load systems. - -JH/12 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in +JH/s1 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in LF-only mode (as detected from the first header line). Previously we did accept that in (normal) CRLF mode; this has been raised as a possible - attack scenario (under the name "smtp smuggling"). - + attack scenario (under the name "smtp smuggling", CVE-2023-51766). Exim version 4.97 diff --git a/doc/doc-txt/cve-2023-51766 b/doc/doc-txt/cve-2023-51766 new file mode 100644 index 000000000..d066d8714 --- /dev/null +++ b/doc/doc-txt/cve-2023-51766 @@ -0,0 +1,69 @@ +CVE ID: CVE-2023-51766 +Date: 2016-12-15 +Credits: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ +Version(s): all up to 4.97 inclusive +Issue: Given a buggy relay, Exim can be induced to accept a second message embedded + as part of the body of a first message + +Conditions +========== + +If *all* the following conditions are met + + Runtime options + --------------- + + * Exim offers PIPELINING on incoming connections + + * Exim offers CHUNKING on incoming connections + + Operation + --------- + + * DATA (as opposed to BDAT) is used for a message reception + + * The relay host sends to the Exim MTA message data including + one of "LF . LF" or "CR LF . LF" or "LF . CR LF". + + * Exim interprets the sequence as signalling the end of data for + the SMTP DATA command, and hence a first message. + + * Exim interprets further input which the relay had as message body + data, as SMTP commands and data. This could include a MAIL, RCPT, + BDAT (etc) sequence, resulting in a further message acceptance. + +Impact +====== + +One or more messages can be accepted by Exim that have not been +properly validated by the buggy relay. + +Fix +=== + +Install a fixed Exim version: + + 4.98 (once available) + 4.97.1 + +If you can't install one of the above versions, ask your package +maintainer for a version containing the backported fix. On request and +depending on our resources we will support you in backporting the fix. +(Please note, that Exim project officially doesn't support versions +prior the current stable version.) + + +Workaround +========== + + Disable CHUNKING advertisement for incoming connections. + + An attempt to "smuggle" a DATA command will trip a syncronisation + check. + +*or* + + Disable PIPELINING advertisement for incoming connections. + + The "smuggled" MAIL FROM command will then trip a syncronisation + check. -- 2.30.2