projects / exim.git / blame
| Commit | Line | Data |
|---|---|---|
| c3aefacc HSHR |
1 | CVE ID: CVE-2019-15846 |
| 2 | Date: 2019-09-02 (CVE assigned) | |
| 3 | Credits: Zerons <sironhide0null@gmail.com> for the initial report | |
| 4 | Qualys https://www.qualys.com/ for the analysis | |
| 5 | Version(s): all versions up to and including 4.92.1 | |
| 6 | Issue: A local or remote attacker can execute programs with root | |
| 7 | privileges. | |
| 8 | ||
| 9 | Conditions to be vulnerable | |
| 10 | =========================== | |
| 11 | ||
| 12 | If your Exim server accepts TLS connections, it is vulnerable. This does | |
| 13 | not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected. | |
| 14 | ||
| 15 | Details | |
| 16 | ======= | |
| 17 | ||
| 18 | The vulnerability is exploitable by sending a SNI ending in a | |
| 19 | backslash-null sequence during the initial TLS handshake. The exploit | |
| 20 | exists as a POC. For more details see the document qualys.mbx | |
| 21 | ||
| 22 | Mitigation | |
| 23 | ========== | |
| 24 | ||
| 25 | Do not offer TLS. (This mitigation is not recommended.) | |
| 26 | ||
| 27 | Fix | |
| 28 | === | |
| 29 | ||
| 30 | Download and build a fixed version: | |
| 31 | ||
| 32 | Tarballs: https://ftp.exim.org/pub/exim/exim4/ | |
| 33 | Git: https://github.com/Exim/exim.git | |
| 34 | - tag exim-4.92.2 | |
| 35 | - branch exim-4.92.2+fixes | |
| 36 | ||
| 37 | The tagged commit is the officially released version. The +fixes branch | |
| 38 | isn't officially maintained, but contains the security fix *and* useful | |
| 39 | fixes. | |
| 40 | ||
| 41 | If you can't install the above versions, ask your package maintainer for | |
| 42 | a version containing the backported fix. On request and depending on our | |
| 43 | resources we will support you in backporting the fix. (Please note, | |
| 44 | the Exim project officially doesn't support versions prior the current | |
| 45 | stable version.) |