From c56ed04fb25cb24e21eb2c1d02069482b1a8f458 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 29 Dec 2023 16:11:02 +0000 Subject: [PATCH] Docs: CVE note Cherry-picked from: 5a8fc0799314 --- doc/doc-txt/cve-2023-51766 | 69 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 doc/doc-txt/cve-2023-51766 diff --git a/doc/doc-txt/cve-2023-51766 b/doc/doc-txt/cve-2023-51766 new file mode 100644 index 000000000..d066d8714 --- /dev/null +++ b/doc/doc-txt/cve-2023-51766 @@ -0,0 +1,69 @@ +CVE ID: CVE-2023-51766 +Date: 2016-12-15 +Credits: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ +Version(s): all up to 4.97 inclusive +Issue: Given a buggy relay, Exim can be induced to accept a second message embedded + as part of the body of a first message + +Conditions +========== + +If *all* the following conditions are met + + Runtime options + --------------- + + * Exim offers PIPELINING on incoming connections + + * Exim offers CHUNKING on incoming connections + + Operation + --------- + + * DATA (as opposed to BDAT) is used for a message reception + + * The relay host sends to the Exim MTA message data including + one of "LF . LF" or "CR LF . LF" or "LF . CR LF". + + * Exim interprets the sequence as signalling the end of data for + the SMTP DATA command, and hence a first message. + + * Exim interprets further input which the relay had as message body + data, as SMTP commands and data. This could include a MAIL, RCPT, + BDAT (etc) sequence, resulting in a further message acceptance. + +Impact +====== + +One or more messages can be accepted by Exim that have not been +properly validated by the buggy relay. + +Fix +=== + +Install a fixed Exim version: + + 4.98 (once available) + 4.97.1 + +If you can't install one of the above versions, ask your package +maintainer for a version containing the backported fix. On request and +depending on our resources we will support you in backporting the fix. +(Please note, that Exim project officially doesn't support versions +prior the current stable version.) + + +Workaround +========== + + Disable CHUNKING advertisement for incoming connections. + + An attempt to "smuggle" a DATA command will trip a syncronisation + check. + +*or* + + Disable PIPELINING advertisement for incoming connections. + + The "smuggled" MAIL FROM command will then trip a syncronisation + check. -- 2.30.2