Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Nov 2017 23:35:23 -0500
From: Phil Pennock <phil.pennock@...dhuis.org>
To: oss-security@...ts.openwall.com
Subject: Re: RCE in Exim reported

On 2017-11-24 at 22:59 -0500, Phil Pennock wrote:
> A complete mitigation is to disable advertising the CHUNKING extension,
> in which case an attempt to use the BDAT verb should result in:
> 
>   503 BDAT command used when CHUNKING not advertised

Note: some distributions only ship older versions of Exim, so emphasis
on "introduced with Exim 4.88".  If you have an older version, you're
safe.

If you telnet to your mail-server on port 25 and issue the EHLO command,
and look at the list of SMTP extensions offered, then the CHUNKING
extension needs to be listed for you to be vulnerable.

Exim administratively blocks use of the BDAT verb in sessions where
the CHUNKING extension was not advertized.

Thus:
  chunking_advertise_hosts =
is a _complete_ workaround.

On older Exim, the BDAT verb (after MAIL and RCPT) should yield:

  500 unrecognized command

On safe Exim, it should yield:

  503 BDAT command used when CHUNKING not advertised

If you get a 2xx response to BDAT, and you're not using pipelined
verbs and confusing the response to the MAIL verb with the response to
the BDAT verb, then you haven't disabled CHUNKING.

Regards,
-Phil

Download attachment "signature.asc" of type "application/pgp-signature" (997 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.