Critical Exim Security Vulnerability: disable chunking

rancidio

Verified User
Joined
May 7, 2014
Messages
10
A remote code execution vulnerability has been reported in Exim, with
immediate public disclosure (we were given no private notice).
A tentative patch exists but has not yet been confirmed.

With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:

chunking_advertise_hosts =

That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.

This should be a complete workaround. Impact of applying the workaround
is that mail senders have to stick to the traditional DATA verb instead
of using BDAT.

We've requested CVEs. More news will be forthcoming as we get this
worked out.

https://lists.gt.net/exim/announce/108962
 
My exim.conf version 4.5.7 does not contain chunking_advertise_hosts - it is strange if your exim.conf 4.5.7 does?
 
Indeed; I think DA is not vulnerable by default because this option is already empty in exim.variables.conf :)
 
My exim.conf version 4.5.7 does not contain chunking_advertise_hosts - it is strange if your exim.conf 4.5.7 does?


The directive

Code:
chunking_advertise_hosts=

can be found in /etc/exim.variables.conf which is included into main config /etc/exim.conf
Code:
.include /etc/exim.variables.conf

so you are in safe with it 4.5.7.

Code:
[root@da ~]# grep chunking_advertise_hosts /etc/exim*
/etc/exim.variables.conf:chunking_advertise_hosts=
/etc/exim.variables.conf.default:chunking_advertise_hosts =


[root@da ~]# grep /etc/exim.variables.conf /etc/exim.conf
.include /etc/exim.variables.conf
.include_if_exists /etc/exim.variables.conf.post
[root@da ~]#
 
1) I've updated exim.conf 2.1.x and the latest 4.2, 4.3, 4.4 versions with the fix to the respective exim.conf or exim.variables.conf, so the simplest is a
Code:
./build update
./build exim_conf
once your files mirror gets the sync. As mentioned, 4.5.x already had it.

2) I've updated files1 with CustomBuild 2.0 rev 1767 which as a security check in
Code:
./build update
./build versions
where the
Code:
./build update_versions
will check to see if it already existed with * or not, and does the appropriate regexes to set it "blank" or add it to correct file (exim.conf or exim.variables.conf).

3) If you use the recent version of the CustomBuild 2.0 DA plugin, and the security section in the versions should also mention the fix, and do it for you if you need.

Once they release exim 4.90, then I'll change around the security check to just update to exim 4.90, rather than the regex checks.

John
 
3) If you use the recent version of the CustomBuild 2.0 DA plugin, and the security section in the versions should also mention the fix, and do it for you if you need.

After reading this thread I immediately checked cb2.0 for updates to see if there were any updates or warnings.
Strangely there is only an "Update all" button with no updates. See attachment.
 

Attachments

  • update-all-nothing-to-do.GIF
    update-all-nothing-to-do.GIF
    18.4 KB · Views: 128
You may already have the fix. SpamBlocker 4.5.x already had the blank chunking_advertise_hosts= setting.
Check:
Code:
grep chunking_advertise_hosts /etc/exim.conf
grep chunking_advertise_hosts /etc/exim.variables.conf

Also, the new security checks feature is only shown in the plugin, with the latest version of the plugin.

John
 
Hello there,

First of all: Big thanks to all the contributors to this forum. I've been lurking for some years now and i've always found the solution to my problems.

I've added the required code to /etc/exim.conf and i've restarted Exim. After adding the code and restarting Exim i got this error several times in /var/log/exim/paniclog:

Code:
2017-11-27 11:46:07 Exim configuration error in line 97 of /etc/exim.conf:
  main option "chunking_advertise_hosts" unknown

Is there a fix for that?
 
Once they release exim 4.90, then I'll change around the security check to just update to exim 4.90, rather than the regex checks.
Code:
~#  exim -bV | egrep version
Exim version 4.89

~#   egrep chunking_advertise_hosts /etc/exim*
~#

./build update_versions
[B][COLOR=#b22222]*** Unable to set 'chunking_advertise_hosts=' to set because of option eximconf=no.  Manual fix required. ***[/COLOR][/B]


Should I just ignore this for the moment ?


I updated exim.conf after warning has gone :D
 
Last edited:
Hello there,

First of all: Big thanks to all the contributors to this forum. I've been lurking for some years now and i've always found the solution to my problems.

I've added the required code to /etc/exim.conf and i've restarted Exim. After adding the code and restarting Exim i got this error several times in /var/log/exim/paniclog:

Code:
2017-11-27 11:46:07 Exim configuration error in line 97 of /etc/exim.conf:
  main option "chunking_advertise_hosts" unknown

Is there a fix for that?

What version of Exim are you running? I believe this option has been added in 4.88
 
That question answered my question. I'm running 4.83.

Then you probably have exim=no in your options.conf in CustomBuild. I believe that's the default, I don't know why. Seen it several times now that users have very old Exim versions because the default =no.
 
You are right once again. I changed:
Code:
exim = no
to
Code:
exim = yes
and the update appeared in the CustomBuild menu.

It's updating as i type this.
 
Hello there,

First of all: Big thanks to all the contributors to this forum. I've been lurking for some years now and i've always found the solution to my problems.

I've added the required code to /etc/exim.conf and i've restarted Exim. After adding the code and restarting Exim i got this error several times in /var/log/exim/paniclog:

Code:
2017-11-27 11:46:07 Exim configuration error in line 97 of /etc/exim.conf:
  main option "chunking_advertise_hosts" unknown

Is there a fix for that?

Got the same error when adding that line to /etc/exim.conf

Server still advertising CHUNKING:
Connecting to ...... 220 mail.server.no ESMTP Exim 4.89 Tue, 28 Nov 2017 10:05:17 +0100 [1089 ms]<br /> EHLO PWS3.mxtoolbox.com<br /> 250-mail.server.no Hello pws3.mxtoolbox.com <br /> <b>250-CHUNKING</b><br />

Running Exim 4.89
 
`./build versions` is throwing unnecessary security warning:

Security update is available.: . NOTE: Only exim 4.88 and higher supports chunking_advertise_hosts. You have 4.87: https://forum.directadmin.com/showthread.php?t=55603

Any fix that this message is only shown when 4.88 and higher is installed...
(it is messing with my monitoring).
 
We'll look into the message, but you'll want to update to 4.89. The security issue requires disabling chunking_advertise_hosts, but that cannot be done with the older exim versions.
We cannot confirm if the issue was introduced with 4.88, or if it always existed (if chunking was on for everyone by default, just without the setting).

I'd highly recommend you update your exim.conf version to 4.89:
Code:
cd /usr/local/directadmin/custombuild
./build set exim yes
./build exim
so that the chunking_advertise_hosts= value can be set in the exim.conf (or /etc/exim.variables.conf if you have it)

Related: https://help.directadmin.com/item.php?id=125

John
 
Hello,

exim 4.89.1 has been released.
We had to tweak things in CustomBuild 2.0 because the opted to have the version show 4.89_1 instead of 4.89.1, which caused a bit of an integer mess with our version checking.
Sorted now, so to get 4.89.1, use:
Code:
./build update
./build set exim yes
./build exim
once that's done, the chunking fix in the exim.conf/exim.variables.conf shouldn't be required.

Note: This does not compile on CentOS 5.. or likely other "older" operating systems:
Code:
In file included from tls.c:121:
tls-openssl.c: In function 'tls_openssl_options_parse':
tls-openssl.c:2960: error: 'SSL_OP_NO_TICKET' undeclared (first use in this function)
tls-openssl.c:2960: error: (Each undeclared identifier is reported only once
tls-openssl.c:2960: error: for each function it appears in.)
In file included from tls.c:122:
tlscert-openssl.c: In function 'asn1_time_copy':
tlscert-openssl.c:125: warning: passing argument 2 of 'ASN1_TIME_print' discards qualifiers from pointer target type
make[1]: *** [tls.o] Error 1
make[1]: Leaving directory `/usr/local/directadmin/custombuild/exim-4.89.1/build-Linux-i386'
make: *** [all] Error 2
This may be able to work around that with some "#ifdef SSL_OP_NO_TICKET" entries, but at the same time, you'd be missing out on that code, so since CentOS 5 is very much end-of-life, they might not be adding this fix at all (we'll see in 4.90)

John
 
Back
Top