| 1 | CVE ID: CVE-2016-9963 |
| 2 | Date: 2016-12-15 |
| 3 | Credits: Bjoern Jacke <bjoern@j3e.de> |
| 4 | Version(s): 4.69 -> 4.87 |
| 5 | Issue: If several conditions are met, Exim leaks private information |
| 6 | to a remote attacker. |
| 7 | |
| 8 | Conditions |
| 9 | ========== |
| 10 | |
| 11 | If *all* of the following conditions are met |
| 12 | |
| 13 | Build options |
| 14 | ------------- |
| 15 | |
| 16 | * Exim is built with DKIM enabled (default for newer versions) |
| 17 | exim -bV | grep 'Support.*DKIM' |
| 18 | |
| 19 | Runtime options |
| 20 | --------------- |
| 21 | |
| 22 | * Exim uses DKIM signing (transport options dkim_private_key, |
| 23 | dkim_domain, and other) |
| 24 | |
| 25 | * The dkim_private_key option names a file containing the key. |
| 26 | |
| 27 | exim -bP transports | grep 'dkim_private_key = .' |
| 28 | |
| 29 | * Exim uses PRDR (transport option hosts_try_prdr) (default |
| 30 | since 4.86) |
| 31 | |
| 32 | exim -bP transports | grep 'hosts_try_prdr = .' |
| 33 | |
| 34 | *OR* |
| 35 | |
| 36 | Exim uses the LMTP protocol variant for SMTP transport. |
| 37 | |
| 38 | exim -bP transports | grep 'protocol = lmtp' |
| 39 | |
| 40 | Operation |
| 41 | --------- |
| 42 | |
| 43 | * Exim transports a multi-recipient message |
| 44 | |
| 45 | * The destination host supports PRDR |
| 46 | OR |
| 47 | the message transport uses LMTP |
| 48 | |
| 49 | * One or more recipients are rejected after the DATA phase |
| 50 | |
| 51 | Impact |
| 52 | ====== |
| 53 | |
| 54 | Exim leaks the private DKIM signing key to the log files. Additionally, |
| 55 | if the build option EXPERIMENTAL_DSN_INFO=yes is used, the key material |
| 56 | is included in the bounce message. |
| 57 | |
| 58 | Fix |
| 59 | === |
| 60 | |
| 61 | Install a fixed Exim version: |
| 62 | |
| 63 | 4.88 |
| 64 | 4.87.1 |
| 65 | |
| 66 | If you can't install one of the above versions, ask your package |
| 67 | maintainer for a version containing the backported fix. On request and |
| 68 | depending on our resources we will support you in backporting the fix. |
| 69 | (Please note, that Exim project officially doesn't support versions |
| 70 | prior the current stable version.) |
| 71 | |
| 72 | If you think that you MIGHT be affected, we HIGHLY recommend to create |
| 73 | a new set of DKIM keys and fade out the previous DKIM key soon to make |
| 74 | sure that a possibly leaked DKIM key can not be misused in the future. |
| 75 | |
| 76 | |
| 77 | Workaround |
| 78 | ========== |
| 79 | |
| 80 | Disable PRDR in your outgoing transport(s): set hosts_try_prdr to an |
| 81 | empty string. |
| 82 | |
| 83 | AND do not use the LMTP protocol variant of the SMTP driver. |
| 84 | |
| 85 | Indication |
| 86 | ========== |
| 87 | |
| 88 | You can check if you where affected already. The mainlog entries look like this: |
| 89 | |
| 90 | 2016-12-17 09:44:33 10HmaX-0005vi-00 ** baduser@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: PRDR error after -----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd\n+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+Y\ndhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB\nAoGAZPokJKQQmRK6a0zn5f8lWemy0airG66KhzDF0Pafb/nWKgDCB02gpJgdw5rJ\nbO7/HI3IeqsfRdYTP7tjfmZtPiPo1mnF7D1rSRspZjOF2yXY/ky7t7c5xChRcSxf\n+69CknwjrfteY9Aj0j6o7N+2w2uvHO+AAq8BHDgXKmPo0SECQQDzQ/glyhNH9tlO\nx+3TTMwwyZUf2mYYosN3Q9NIl3Umz/3+13K5b6Ed6fZvS/XwU55Qf5IBUVj2Fujk\nRv2lbGPpAkEA4okpnzYz5nm1X5WjpJPQPyo8nGEU1A5QfoDbkAvWYvVoYrpWPOx5\nHFpOAHkvSk1Y1vhCUa+zHwiQRBC8OMp6LwJBAOAUK/AjQ792UpWO9DM++pe2F/dP\nZdwrkYG6qFSlrvQhgwXLz5GgkfjMGoRKpDDL1XixCfzMwfVtBPnBqsNGJIECQGYX\nSIGu7L7edMXJ60C9OKluwHf9LGTQuqf4LHsDSq+4Rz3PGhREwePsMqD1/EDxEKt4\noHKtyvyeYF28aQbzARMCQQCRtJlR6vlKhxYL8+xoPrCu3MijKgVruRUcNstXkDZK\nfKQax6vhiMq+0qIiEwLA1wavyLVKZ7Mfag+/4NTcDUVC\n-----END RSA PRIVATE KEY-----\n: 550 PRDR R=<baduser@test.ex> refusal |
| 91 | |
| 92 | Even if there is no evidence in the existing log files, that a DKIM key |
| 93 | leakage happened this might have happened in the past, log files might |
| 94 | have been deleted already but a key leak could have ended up via mail |
| 95 | bounce in a user mail box |