Commit | Line | Data |
---|---|---|
c3aefacc HSHR |
1 | CVE ID: CVE-2019-15846 |
2 | Date: 2019-09-02 (CVE assigned) | |
3 | Credits: Zerons <sironhide0null@gmail.com> for the initial report | |
4 | Qualys https://www.qualys.com/ for the analysis | |
5 | Version(s): all versions up to and including 4.92.1 | |
6 | Issue: A local or remote attacker can execute programs with root | |
7 | privileges. | |
8 | ||
9 | Conditions to be vulnerable | |
10 | =========================== | |
11 | ||
12 | If your Exim server accepts TLS connections, it is vulnerable. This does | |
13 | not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected. | |
14 | ||
15 | Details | |
16 | ======= | |
17 | ||
18 | The vulnerability is exploitable by sending a SNI ending in a | |
19 | backslash-null sequence during the initial TLS handshake. The exploit | |
20 | exists as a POC. For more details see the document qualys.mbx | |
21 | ||
22 | Mitigation | |
23 | ========== | |
24 | ||
25 | Do not offer TLS. (This mitigation is not recommended.) | |
26 | ||
27 | Fix | |
28 | === | |
29 | ||
30 | Download and build a fixed version: | |
31 | ||
32 | Tarballs: https://ftp.exim.org/pub/exim/exim4/ | |
33 | Git: https://github.com/Exim/exim.git | |
34 | - tag exim-4.92.2 | |
35 | - branch exim-4.92.2+fixes | |
36 | ||
37 | The tagged commit is the officially released version. The +fixes branch | |
38 | isn't officially maintained, but contains the security fix *and* useful | |
39 | fixes. | |
40 | ||
41 | If you can't install the above versions, ask your package maintainer for | |
42 | a version containing the backported fix. On request and depending on our | |
43 | resources we will support you in backporting the fix. (Please note, | |
44 | the Exim project officially doesn't support versions prior the current | |
45 | stable version.) |