Exim RCE vulnerability [CVE-2023-42115]

The information about the vulnerability is scarce right now. Once there is official fix or more info about the vulnerability in general we will check it against DA configuration and release a hot-fix if needed.
 
I'm aware this security issued. There have any config to disable smtp connection from outside ?.

block port isn't option.
 
Last edited:
One of the vulnerability sites mentions the issue is related to the AUTH command (i.e. users logging in to send) and a few days ago Exim 4.97 rc1 was released and looking at the source there is mention of updates to the AUTH code:


So, hopefully 4.97 will fix it.
 
Besides waiting for an update, is there any other action we can take to protect our servers?
 
Besides waiting for an update, is there any other action we can take to protect our servers?

Only if your customers don't mind not sending/receiving email or you feel like replacing exim in the DA stack real quick. Typically these things don't see so much interest prior to any usable information being available.
 
Over half of Internet SMTP servers were running with Exim (from 2019 report).

I hope zerodayinitiative.com (i.e. Trend Micro) and Exim.org shall coordinate for smooth transition hopefully.
(like previous 21Nails ones)
 
We have an update from exim developers - https://www.openwall.com/lists/oss-security/2023/10/01/4

* 3 of them are related to SPA/NTLM, and EXTERNAL auth. If you do not use
SPA/NTLM, or EXTERNAL authentication, you're not affected.
These issues are fixed.

* One issue is related to data received from a proxy-protocol proxy. If
you do not use a proxy in front of Exim, you're not affected. If your
proxy is trustworthy, you're not affected. We're working on a fix.

* One is related to libspf2. If you do not use the `spf` lookup type
or the `spf` ACL condition, you are not affected.

* The last one is related to DNS lookups. If you use a trustworthy
resolver (which does validation of the data it receives), you're
not affected. We're working on a fix.

Default DA configuration:
It seems standard DA installation should not be affected by these issues. But we will release an update once the fixes are available publicly.

Right now we have prepared DA 1.654 release (in alpha and beta release channels) to be compatible with upcoming exim 4.97 (but 4.96 will be used by default). Latest version can be tested out by setting custom exim version to 4.97-RC1, any feedback would be appreciated.

Just to clarify - exim 4.97-RC1 does not have the fixes for these issues. Once the fixes are released publicly (should be tomorrow) we will make new versions of exim 4.96 and 4.97 with the fixes.
 
Last edited:
Thanks for update security information.

normally, I (We) use google dns (8.8.4.4) or cloudflare dns (1.1.1.1), It should fine for me. ?
 
Thanks for update security information.

normally, I (We) use google dns (8.8.4.4) or cloudflare dns (1.1.1.1), It should fine for me. ?
Well, keep in mind, Google's and Cloudflare's DNS do not respond properly to zen.spamhaus.org. I don't know what other RBLs they may not be responding to correctly.
 
Well, keep in mind, Google's and Cloudflare's DNS do not respond properly to zen.spamhaus.org. I don't know what other RBLs they may not be responding to correctly.

That’s a feature of spamhaus though and not an issue with their DNS resolvers.


Fairly certain you know that already, just adding clarity for others sake ?
 
it fine for spamhaus, because I use spamassassin and use setting "dns_server 127.0.0.1" for local resolver. I not found any setting inside Exim to set dns_server, So I just move into spamassassin.
 
  • does not link against libspf2

An update regarding libspf2. Default DA installation does link against this library, thanks for spotting my mistake @ccto. Security fixes should be available soon enough.

It is not yet clear if the SPF bug fix is supposed to be in exim or in the library. We will see.
 
Last edited:
A new exim version 4.96.1 is added to our mirrors and a new version of DA is released for all release channels with default exim version set to 4.96.1.

To upgrade immediately following commands can be used da update and da build exim. CB should report Exim 4.96.1 Installed. line at the end of exim build.
 
I am a little confused

So the 4.96.1 version solves to problem with the libspf2, or we have to wait for a new libspf2 version?

According to this

Mitigation: Do not use the `spf` condition in your ACL

the word spf is not present in exim.conf
Does that mean we do not use spf in ACL's?

Can someone please clarify ?
 
There is an update available for libspf2 in most repo's. So if you update Exim and libspf2 (and restart Exim) you should be safe.
 
Last edited:
Back
Top