Page 1 of 2 12 LastLast
Results 1 to 20 of 31

Thread: Critical Exim Security Vulnerability: disable chunking

  1. #1
    Join Date
    May 2014
    Posts
    10

    Critical Exim Security Vulnerability: disable chunking

    A remote code execution vulnerability has been reported in Exim, with
    immediate public disclosure (we were given no private notice).
    A tentative patch exists but has not yet been confirmed.

    With immediate effect, please apply this workaround: if you are running
    Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
    section of your Exim configuration, set:

    chunking_advertise_hosts =

    That's an empty value, nothing on the right of the equals. This
    disables advertising the ESMTP CHUNKING extension, making the BDAT verb
    unavailable and avoids letting an attacker apply the logic.

    This should be a complete workaround. Impact of applying the workaround
    is that mail senders have to stick to the traditional DATA verb instead
    of using BDAT.

    We've requested CVEs. More news will be forthcoming as we get this
    worked out.

    https://lists.gt.net/exim/announce/108962

  2. #2
    Join Date
    Jul 2013
    Posts
    210
    as far i see this patch is already in exim.conf 4.5

  3. #3
    Join Date
    Apr 2009
    Posts
    2,441
    My exim.conf version 4.5.7 does not contain chunking_advertise_hosts - it is strange if your exim.conf 4.5.7 does?

  4. #4
    Join Date
    Sep 2015
    Location
    Arnhem, NL
    Posts
    433
    Indeed; I think DA is not vulnerable by default because this option is already empty in exim.variables.conf

  5. #5
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,805
    Quote Originally Posted by ditto View Post
    My exim.conf version 4.5.7 does not contain chunking_advertise_hosts - it is strange if your exim.conf 4.5.7 does?

    The directive

    Code:
    chunking_advertise_hosts=
    can be found in /etc/exim.variables.conf which is included into main config /etc/exim.conf
    Code:
    .include /etc/exim.variables.conf
    so you are in safe with it 4.5.7.

    Code:
    [root@da ~]# grep chunking_advertise_hosts /etc/exim*
    /etc/exim.variables.conf:chunking_advertise_hosts=
    /etc/exim.variables.conf.default:chunking_advertise_hosts =
    
    
    [root@da ~]# grep /etc/exim.variables.conf /etc/exim.conf
    .include /etc/exim.variables.conf
    .include_if_exists /etc/exim.variables.conf.post
    [root@da ~]#
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  6. #6
    1) I've updated exim.conf 2.1.x and the latest 4.2, 4.3, 4.4 versions with the fix to the respective exim.conf or exim.variables.conf, so the simplest is a
    Code:
    ./build update
    ./build exim_conf
    once your files mirror gets the sync. As mentioned, 4.5.x already had it.

    2) I've updated files1 with CustomBuild 2.0 rev 1767 which as a security check in
    Code:
    ./build update
    ./build versions
    where the
    Code:
    ./build update_versions
    will check to see if it already existed with * or not, and does the appropriate regexes to set it "blank" or add it to correct file (exim.conf or exim.variables.conf).

    3) If you use the recent version of the CustomBuild 2.0 DA plugin, and the security section in the versions should also mention the fix, and do it for you if you need.

    Once they release exim 4.90, then I'll change around the security check to just update to exim 4.90, rather than the regex checks.

    John

  7. #7
    Join Date
    Jan 2013
    Posts
    163
    Quote Originally Posted by DirectAdmin Support View Post
    3) If you use the recent version of the CustomBuild 2.0 DA plugin, and the security section in the versions should also mention the fix, and do it for you if you need.
    After reading this thread I immediately checked cb2.0 for updates to see if there were any updates or warnings.
    Strangely there is only an "Update all" button with no updates. See attachment.
    Attached Images Attached Images
    Probe my IP

  8. #8
    You may already have the fix. SpamBlocker 4.5.x already had the blank chunking_advertise_hosts= setting.
    Check:
    Code:
    grep chunking_advertise_hosts /etc/exim.conf
    grep chunking_advertise_hosts /etc/exim.variables.conf
    Also, the new security checks feature is only shown in the plugin, with the latest version of the plugin.

    John

  9. #9
    Join Date
    Nov 2017
    Posts
    4
    Hello there,

    First of all: Big thanks to all the contributors to this forum. I've been lurking for some years now and i've always found the solution to my problems.

    I've added the required code to /etc/exim.conf and i've restarted Exim. After adding the code and restarting Exim i got this error several times in /var/log/exim/paniclog:

    Code:
    2017-11-27 11:46:07 Exim configuration error in line 97 of /etc/exim.conf:
      main option "chunking_advertise_hosts" unknown
    Is there a fix for that?

  10. #10
    Join Date
    May 2013
    Posts
    26

    Exclamation

    Quote Originally Posted by DirectAdmin Support View Post
    Once they release exim 4.90, then I'll change around the security check to just update to exim 4.90, rather than the regex checks.
    Code:
    ~#  exim -bV | egrep version
    Exim version 4.89
    
    ~#   egrep chunking_advertise_hosts /etc/exim*
    ~#
    
    ./build update_versions
    *** Unable to set 'chunking_advertise_hosts=' to set because of option eximconf=no.  Manual fix required. ***

    Should I just ignore this for the moment ?


    I updated exim.conf after warning has gone
    Last edited by piotrv; 11-27-2017 at 04:53 AM.

  11. #11
    Join Date
    Sep 2015
    Location
    Arnhem, NL
    Posts
    433
    Quote Originally Posted by Brobbonz View Post
    Hello there,

    First of all: Big thanks to all the contributors to this forum. I've been lurking for some years now and i've always found the solution to my problems.

    I've added the required code to /etc/exim.conf and i've restarted Exim. After adding the code and restarting Exim i got this error several times in /var/log/exim/paniclog:

    Code:
    2017-11-27 11:46:07 Exim configuration error in line 97 of /etc/exim.conf:
      main option "chunking_advertise_hosts" unknown
    Is there a fix for that?
    What version of Exim are you running? I believe this option has been added in 4.88

  12. #12
    Join Date
    Nov 2017
    Posts
    4
    That question answered my question. I'm running 4.83.

  13. #13
    Join Date
    Sep 2015
    Location
    Arnhem, NL
    Posts
    433
    Quote Originally Posted by Brobbonz View Post
    That question answered my question. I'm running 4.83.
    Then you probably have exim=no in your options.conf in CustomBuild. I believe that's the default, I don't know why. Seen it several times now that users have very old Exim versions because the default =no.

  14. #14
    Join Date
    Nov 2017
    Posts
    4
    You are right once again. I changed:
    Code:
    exim = no
    to
    Code:
    exim = yes
    and the update appeared in the CustomBuild menu.

    It's updating as i type this.

  15. #15
    Join Date
    Nov 2017
    Posts
    4
    Thanks. It updated just fine. Case closed and many thanks!

  16. #16
    Join Date
    Feb 2008
    Posts
    139
    Quote Originally Posted by Brobbonz View Post
    Hello there,

    First of all: Big thanks to all the contributors to this forum. I've been lurking for some years now and i've always found the solution to my problems.

    I've added the required code to /etc/exim.conf and i've restarted Exim. After adding the code and restarting Exim i got this error several times in /var/log/exim/paniclog:

    Code:
    2017-11-27 11:46:07 Exim configuration error in line 97 of /etc/exim.conf:
      main option "chunking_advertise_hosts" unknown
    Is there a fix for that?
    Got the same error when adding that line to /etc/exim.conf

    Server still advertising CHUNKING:
    Connecting to ...... 220 mail.server.no ESMTP Exim 4.89 Tue, 28 Nov 2017 10:05:17 +0100 [1089 ms]<br /> EHLO PWS3.mxtoolbox.com<br /> 250-mail.server.no Hello pws3.mxtoolbox.com <br /> <b>250-CHUNKING</b><br />
    Running Exim 4.89

  17. #17
    Join Date
    Feb 2008
    Posts
    139
    ./build update
    ./build exim_conf
    fixed it.

    https://mxtoolbox.com/diagnostic.aspx does not report CHUNKING anymore.

  18. #18
    Join Date
    Mar 2017
    Posts
    2
    `./build versions` is throwing unnecessary security warning:

    Security update is available.: . NOTE: Only exim 4.88 and higher supports chunking_advertise_hosts. You have 4.87: https://forum.directadmin.com/showthread.php?t=55603

    Any fix that this message is only shown when 4.88 and higher is installed...
    (it is messing with my monitoring).

  19. #19
    We'll look into the message, but you'll want to update to 4.89. The security issue requires disabling chunking_advertise_hosts, but that cannot be done with the older exim versions.
    We cannot confirm if the issue was introduced with 4.88, or if it always existed (if chunking was on for everyone by default, just without the setting).

    I'd highly recommend you update your exim.conf version to 4.89:
    Code:
    cd /usr/local/directadmin/custombuild
    ./build set exim yes
    ./build exim
    so that the chunking_advertise_hosts= value can be set in the exim.conf (or /etc/exim.variables.conf if you have it)

    Related: https://help.directadmin.com/item.php?id=125

    John

  20. #20
    Hello,

    exim 4.89.1 has been released.
    We had to tweak things in CustomBuild 2.0 because the opted to have the version show 4.89_1 instead of 4.89.1, which caused a bit of an integer mess with our version checking.
    Sorted now, so to get 4.89.1, use:
    Code:
    ./build update
    ./build set exim yes
    ./build exim
    once that's done, the chunking fix in the exim.conf/exim.variables.conf shouldn't be required.

    Note: This does not compile on CentOS 5.. or likely other "older" operating systems:
    Code:
    In file included from tls.c:121:
    tls-openssl.c: In function 'tls_openssl_options_parse':
    tls-openssl.c:2960: error: 'SSL_OP_NO_TICKET' undeclared (first use in this function)
    tls-openssl.c:2960: error: (Each undeclared identifier is reported only once
    tls-openssl.c:2960: error: for each function it appears in.)
    In file included from tls.c:122:
    tlscert-openssl.c: In function 'asn1_time_copy':
    tlscert-openssl.c:125: warning: passing argument 2 of 'ASN1_TIME_print' discards qualifiers from pointer target type
    make[1]: *** [tls.o] Error 1
    make[1]: Leaving directory `/usr/local/directadmin/custombuild/exim-4.89.1/build-Linux-i386'
    make: *** [all] Error 2
    This may be able to work around that with some "#ifdef SSL_OP_NO_TICKET" entries, but at the same time, you'd be missing out on that code, so since CentOS 5 is very much end-of-life, they might not be adding this fix at all (we'll see in 4.90)

    John

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •