===================================================================== CERT-Renater Note d'Information No. 2023/VULN366 _____________________________________________________________________ DATE : 03/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Exim versions prior to 4.96.1, 4.97. ===================================================================== https://www.exim.org/static/doc/security/CVE-2023-zdi.txt _____________________________________________________________________ Summary ------- Six 0day exploits were filed against Exim. None of these issues is related to transport security (TLS) being on or off. * 3 of them are related to SPA/NTLM, and EXTERNAL auth. If you do not use SPA/NTLM, or EXTERNAL authentication, you're not affected. These issues are fixed. * One issue is related to data received from a proxy-protocol proxy. If you do not use a proxy in front of Exim, you're not affected. If your proxy is trustworthy, you're not affected. We're working on a fix. * One is related to libspf2. If you do not use the `spf` lookup type or the `spf` ACL condition, you are not affected. * The last one is related to DNS lookups. If you use a trustworthy resolver (which does validation of the data it receives), you're not affected. We're working on a fix. Schedule -------- The available fixes will be published on Monday, Oct 2nd, 12:00 UTC. A security release exim-4.96.1 will be published at the same time. Distribution points: -------------------- - git://git.exim.org branches: - spa-auth-fixes (based on the current master) [commit IDs: 7bb5bc2c6 0519dcfb5 e17b8b0f1 04107e98d] - exim-4.96+security (based on exim-4.96) [gpg signed] - exim-4.96.1+fixes (based on exim-4.96.1 with the fixes from exim-4.96+fixes) [gpg signed] tags: - exim-4.96.1 [gpg signed] - tarballs for exim-4.96.1: https://ftp.exim.org/pub/exim/exim4/ [gpg signed] GPG signatures are made by me (hs@schlittermann.de, or Jeremy Harris jgh@wizmail.org). More Details ------------ ZDI-23-1468 | ZDI-CAN-17433 | CVE-2023-42114 | Exim bug 3001 ------------------------------------------------------------ Subject: NTLM Challenge Out-Of-Bounds Read CVSS Score: 3.7 Mitigation: Do not use SPA (NTLM) authentication Subsystem: SPA auth Fixed: 04107e98d, 4.96.1, 4.97 ZDI-23-1469 | ZDI-CAN-17434 | CVE-2023-42115 | Exim bug 2999 ------------------------------------------------------------ Subject: AUTH Out-Of-Bounds Write CVSS Score: 9.8 Mitigation: Do not offer EXTERNAL authentication. Subsystem: EXTERNAL auth Fixed: 7bb5bc2c6, 4.96.1, 4.97 ZDI-23-1470 | ZDI-CAN-17515 | CVE-2023-42116 | Exim bug 3000 ------------------------------------------------------------ Subject: SMTP Challenge Stack-based Buffer Overflow CVSS Score: 8.1 Mitigation: Do not use SPA (NTLM) authentication Subsystem: SPA auth Fixed: e17b8b0f1, 4.96.1, 4.97 ZDI-23-1471 | ZDI-CAN-17554 | CVE-2023-42117 | Exim Bug 3031 ------------------------------------------------------------- Subject: Improper Neutralization of Special Elements CVSS Score: 8.1 Mitigation: Do not use Exim behind an untrusted proxy-protocol proxy Subsystem: proxy protocol (not socks!) Fix: not yet ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032 ------------------------------------------------------------ Subject: libspf2 Integer Underflow CVSS Score: 7.5 Mitigation: Do not use the `spf` condition in your ACL Subsystem: spf Remark: It is debatable if this should be filed against libspf2. There are hints (simon, #Exim IRC) that this is related to https://github.com/shevek/libspf2/pull/44 ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42219 | Exim Bug 3033 ------------------------------------------------------------ Subject: dnsdb Out-Of-Bounds Read CVSS Score: 3.1 Mitigation: Use a trustworthy DNS resolver which is able to validate the data according to the DNS record types. Subsystem: dns lookups Fix: not yet Remark: It is still under consideration. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================