Critical Exim Security Vulnerability: disable chunking

rancidio

Verified User
Joined
May 7, 2014
Messages
10
A remote code execution vulnerability has been reported in Exim, with
immediate public disclosure (we were given no private notice).
A tentative patch exists but has not yet been confirmed.

With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:

chunking_advertise_hosts =

That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.

This should be a complete workaround. Impact of applying the workaround
is that mail senders have to stick to the traditional DATA verb instead
of using BDAT.

We've requested CVEs. More news will be forthcoming as we get this
worked out.

https://lists.gt.net/exim/announce/108962
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,445
My exim.conf version 4.5.7 does not contain chunking_advertise_hosts - it is strange if your exim.conf 4.5.7 does?
 

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
433
Location
Arnhem, NL
Indeed; I think DA is not vulnerable by default because this option is already empty in exim.variables.conf :)
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
My exim.conf version 4.5.7 does not contain chunking_advertise_hosts - it is strange if your exim.conf 4.5.7 does?

The directive

Code:
chunking_advertise_hosts=
can be found in /etc/exim.variables.conf which is included into main config /etc/exim.conf
Code:
.include /etc/exim.variables.conf
so you are in safe with it 4.5.7.

Code:
[root@da ~]# grep chunking_advertise_hosts /etc/exim*
/etc/exim.variables.conf:chunking_advertise_hosts=
/etc/exim.variables.conf.default:chunking_advertise_hosts =


[root@da ~]# grep /etc/exim.variables.conf /etc/exim.conf
.include /etc/exim.variables.conf
.include_if_exists /etc/exim.variables.conf.post
[root@da ~]#
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,904
1) I've updated exim.conf 2.1.x and the latest 4.2, 4.3, 4.4 versions with the fix to the respective exim.conf or exim.variables.conf, so the simplest is a
Code:
./build update
./build exim_conf
once your files mirror gets the sync. As mentioned, 4.5.x already had it.

2) I've updated files1 with CustomBuild 2.0 rev 1767 which as a security check in
Code:
./build update
./build versions
where the
Code:
./build update_versions
will check to see if it already existed with * or not, and does the appropriate regexes to set it "blank" or add it to correct file (exim.conf or exim.variables.conf).

3) If you use the recent version of the CustomBuild 2.0 DA plugin, and the security section in the versions should also mention the fix, and do it for you if you need.

Once they release exim 4.90, then I'll change around the security check to just update to exim 4.90, rather than the regex checks.

John
 

Wanabo

Verified User
Joined
Jan 19, 2013
Messages
165
3) If you use the recent version of the CustomBuild 2.0 DA plugin, and the security section in the versions should also mention the fix, and do it for you if you need.
After reading this thread I immediately checked cb2.0 for updates to see if there were any updates or warnings.
Strangely there is only an "Update all" button with no updates. See attachment.
 

Attachments

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,904
You may already have the fix. SpamBlocker 4.5.x already had the blank chunking_advertise_hosts= setting.
Check:
Code:
grep chunking_advertise_hosts /etc/exim.conf
grep chunking_advertise_hosts /etc/exim.variables.conf
Also, the new security checks feature is only shown in the plugin, with the latest version of the plugin.

John
 

Brobbonz

New member
Joined
Nov 27, 2017
Messages
4
Hello there,

First of all: Big thanks to all the contributors to this forum. I've been lurking for some years now and i've always found the solution to my problems.

I've added the required code to /etc/exim.conf and i've restarted Exim. After adding the code and restarting Exim i got this error several times in /var/log/exim/paniclog:

Code:
2017-11-27 11:46:07 Exim configuration error in line 97 of /etc/exim.conf:
  main option "chunking_advertise_hosts" unknown
Is there a fix for that?
 

piotrv

Verified User
Joined
May 10, 2013
Messages
26
Once they release exim 4.90, then I'll change around the security check to just update to exim 4.90, rather than the regex checks.
Code:
~#  exim -bV | egrep version
Exim version 4.89

~#   egrep chunking_advertise_hosts /etc/exim*
~#

./build update_versions
[B][COLOR=#b22222]*** Unable to set 'chunking_advertise_hosts=' to set because of option eximconf=no.  Manual fix required. ***[/COLOR][/B]

Should I just ignore this for the moment ?


I updated exim.conf after warning has gone :D
 
Last edited:

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
433
Location
Arnhem, NL
Hello there,

First of all: Big thanks to all the contributors to this forum. I've been lurking for some years now and i've always found the solution to my problems.

I've added the required code to /etc/exim.conf and i've restarted Exim. After adding the code and restarting Exim i got this error several times in /var/log/exim/paniclog:

Code:
2017-11-27 11:46:07 Exim configuration error in line 97 of /etc/exim.conf:
  main option "chunking_advertise_hosts" unknown
Is there a fix for that?
What version of Exim are you running? I believe this option has been added in 4.88
 

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
433
Location
Arnhem, NL
That question answered my question. I'm running 4.83.
Then you probably have exim=no in your options.conf in CustomBuild. I believe that's the default, I don't know why. Seen it several times now that users have very old Exim versions because the default =no.
 

Brobbonz

New member
Joined
Nov 27, 2017
Messages
4
You are right once again. I changed:
Code:
exim = no
to
Code:
exim = yes
and the update appeared in the CustomBuild menu.

It's updating as i type this.
 

bdj

Verified User
Joined
Feb 22, 2008
Messages
139
Hello there,

First of all: Big thanks to all the contributors to this forum. I've been lurking for some years now and i've always found the solution to my problems.

I've added the required code to /etc/exim.conf and i've restarted Exim. After adding the code and restarting Exim i got this error several times in /var/log/exim/paniclog:

Code:
2017-11-27 11:46:07 Exim configuration error in line 97 of /etc/exim.conf:
  main option "chunking_advertise_hosts" unknown
Is there a fix for that?
Got the same error when adding that line to /etc/exim.conf

Server still advertising CHUNKING:
Connecting to ...... 220 mail.server.no ESMTP Exim 4.89 Tue, 28 Nov 2017 10:05:17 +0100 [1089 ms]<br /> EHLO PWS3.mxtoolbox.com<br /> 250-mail.server.no Hello pws3.mxtoolbox.com <br /> <b>250-CHUNKING</b><br />
Running Exim 4.89
 

bakkerl

New member
Joined
Mar 16, 2017
Messages
2
`./build versions` is throwing unnecessary security warning:

Security update is available.: . NOTE: Only exim 4.88 and higher supports chunking_advertise_hosts. You have 4.87: https://forum.directadmin.com/showthread.php?t=55603

Any fix that this message is only shown when 4.88 and higher is installed...
(it is messing with my monitoring).
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,904
We'll look into the message, but you'll want to update to 4.89. The security issue requires disabling chunking_advertise_hosts, but that cannot be done with the older exim versions.
We cannot confirm if the issue was introduced with 4.88, or if it always existed (if chunking was on for everyone by default, just without the setting).

I'd highly recommend you update your exim.conf version to 4.89:
Code:
cd /usr/local/directadmin/custombuild
./build set exim yes
./build exim
so that the chunking_advertise_hosts= value can be set in the exim.conf (or /etc/exim.variables.conf if you have it)

Related: https://help.directadmin.com/item.php?id=125

John
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,904
Hello,

exim 4.89.1 has been released.
We had to tweak things in CustomBuild 2.0 because the opted to have the version show 4.89_1 instead of 4.89.1, which caused a bit of an integer mess with our version checking.
Sorted now, so to get 4.89.1, use:
Code:
./build update
./build set exim yes
./build exim
once that's done, the chunking fix in the exim.conf/exim.variables.conf shouldn't be required.

Note: This does not compile on CentOS 5.. or likely other "older" operating systems:
Code:
In file included from tls.c:121:
tls-openssl.c: In function 'tls_openssl_options_parse':
tls-openssl.c:2960: error: 'SSL_OP_NO_TICKET' undeclared (first use in this function)
tls-openssl.c:2960: error: (Each undeclared identifier is reported only once
tls-openssl.c:2960: error: for each function it appears in.)
In file included from tls.c:122:
tlscert-openssl.c: In function 'asn1_time_copy':
tlscert-openssl.c:125: warning: passing argument 2 of 'ASN1_TIME_print' discards qualifiers from pointer target type
make[1]: *** [tls.o] Error 1
make[1]: Leaving directory `/usr/local/directadmin/custombuild/exim-4.89.1/build-Linux-i386'
make: *** [all] Error 2
This may be able to work around that with some "#ifdef SSL_OP_NO_TICKET" entries, but at the same time, you'd be missing out on that code, so since CentOS 5 is very much end-of-life, they might not be adding this fix at all (we'll see in 4.90)

John
 
Top