2 Date: 2019-09-02 (CVE assigned)
3 Credits: Zerons <sironhide0null@gmail.com> for the initial report
4 Qualys https://www.qualys.com/ for the analysis
5 Version(s): all versions up to and including 4.92.1
6 Issue: A local or remote attacker can execute programs with root
9 Conditions to be vulnerable
10 ===========================
12 If your Exim server accepts TLS connections, it is vulnerable. This does
13 not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected.
18 The vulnerability is exploitable by sending a SNI ending in a
19 backslash-null sequence during the initial TLS handshake. The exploit
22 For more details see doc/doc-txt/cve-2019-15846/ in the source code
28 Do not offer TLS. (This mitigation is not recommended.)
30 For a attacking SNI the following ACL snippet should work:
32 # to be prepended to your mail acl (acl_smtp_mail)
33 deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
38 Download and build a fixed version:
40 Tarballs: https://ftp.exim.org/pub/exim/exim4/
41 Git: https://github.com/Exim/exim.git
43 - branch exim-4.92.2+fixes
45 The tagged commit is the officially released version. The +fixes branch
46 isn't officially maintained, but contains the security fix *and* useful
49 If you can't install the above versions, ask your package maintainer for
50 a version containing the backported fix. On request and depending on our
51 resources we will support you in backporting the fix. (Please note,
52 the Exim project officially doesn't support versions prior the current
58 2019-07-21 - Report from Zerons to security@exim.org
59 ....-..-.. - Analysis by Qualys
61 2019-09-02 - CVE assigned
62 2019-09-03 - Details to distros@vs.openwall.org, exim-maintainers@exim.org
63 - Grant access to the security repo
64 2019-09-04 - Heads-Up to oss-security@lists.openwall.com, exim-users@exim.org
65 2019-09-06 - 10.00 UTC Coordinated Release Date
66 - Disclosure to oss-security, exim-users, public repositories
git://git.exim.org / exim-website.git / blob