Exim vulnerability release

[CrazyFrog]

Hey everybody,

I saw that Exim has a new security release which looks important:

Exim 4.94.2 - security update released

Dear Exim-Users

Abstract
--------

Several exploitable vulnerabilities in Exim were reported to us and are
fixed.

We have prepared a security release, tagged as "exim-4.94.2".

This release contains all changes on the exim-4.94+fixes branch plus
security fixes.

You should update your Exim instances as soon as possible. (See below
for short upgrade notes.)

[...]

For further reference a list of related CVEs:

Local vulnerabilities
- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Exim's spool directory
- CVE-2020-28014: Arbitrary PID file creation
- CVE-2020-28011: Heap buffer overflow in queue_run()
- CVE-2020-28010: Heap out-of-bounds write in main()
- CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
- CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
- CVE-2020-28015: New-line injection into spool header file (local)
- CVE-2020-28012: Missing close-on-exec flag for privileged pipe
- CVE-2020-28009: Integer overflow in get_stdinput()
Remote vulnerabilities
- CVE-2020-28017: Integer overflow in receive_add_recipient()
- CVE-2020-28020: Integer overflow in receive_msg()
- CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
- CVE-2020-28021: New-line injection into spool header file (remote)
- CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
- CVE-2020-28026: Line truncation and injection in spool_read_header()
- CVE-2020-28019: Failure to reset function pointer after BDAT error
- CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
- CVE-2020-28018: Use-after-free in tls-openssl.c
- CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

I saw that it is not yet in CustomBuild.

/usr/local/directadmin/custombuild/build update
/usr/local/directadmin/custombuild/build versions | grep Exim

Latest version of Exim: 4.94
Installed version of Exim: 4.94

Could the Exim version be bumped in CustomBuild?

Thanks in advance!
CF

 

[smtalk]

It's there already, thank you for the report!

 

[ccto]

I guess it may take a few hour(s) at least for DA support to download/test it.

 

[ccto]

It's there already, thank you for the report!

It seems versions.txt is not updated.

 

[smtalk]

It seems versions.txt is not updated.

Yes, as it seems to have some issues with the taints, still checking before changing versions.txt. It'll likely require exim.conf update

 

[Richard G]

Correct, here also still 4.94, versions.txt not updated.

 

[CrazyFrog]

Yes, as it seems to have some issues with the taints, still checking before changing versions.txt. It'll likely require exim.conf update

Oooh, that’s too bad. Apps requiring changes on a security release Good luck with the testing and will be anxiously checking the result

 

[smtalk]

Oooh, that’s too bad. Apps requiring changes on a security release Good luck with the testing and will be anxiously checking the result

Fixed. Already in versions.txt.

 

[Richard G]

Thank you, just updated. Looking fine at the moment.

 

[tomputer]

I see that other file servers have not been updated with the latest versions.txt. Does it take a while until it's updated on all other file servers?

http://files.directadmin.com/services/custombuild/versions.txt

http://files6.directadmin.com/services/custombuild/versions.txt

 

[Erulezz]

I see that other file servers have not been updated with the latest versions.txt. Does it take a while until it's updated on all other file servers?

http://files.directadmin.com/services/custombuild/versions.txt

http://files6.directadmin.com/services/custombuild/versions.txt

Files6 is not an official mirror, last time i used that one it synced only once or twice a day. Try using an official mirror

 

[CrazyFrog]

Great, I've updated my machines and all is looking well

For those who need the commands:

sudo /usr/local/directadmin/custombuild/build update
sudo /usr/local/directadmin/custombuild/build versions | grep Exim # should show Exim 4.92.2 available
sudo /usr/local/directadmin/custombuild/build exim
sudo /usr/local/directadmin/custombuild/build exim_conf

 

[tomputer]

Files6 is not an official mirror, last time i used that one it synced only one or twice a day. Try using an official mirror

Thank you! I've changed it to an official mirror.

 

[zuijberknaf]

Hello,

I've got an issue with exim after recent update. I'm using an official mirror.
./build update
./build exim
./build exim_conf

Afterward I get the following error:
failed to expand "${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}

I've got this issue on multiple servers.

 

[Erulezz]

Hello,

I've got an issue with exim after recent update. I'm using an official mirror.
./build update
./build exim
./build exim_conf

Afterward I get the following error:
failed to expand "${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}

I've got this issue on multiple servers.

What version of exim.conf are you using?

 

[zuijberknaf]

The issue was related to the eximconf_release switch not being automatically updated to a new version. It was stuck at 4.3 instead of 4.5. Although that exim and exim_conf are both set to yes in the options.conf

 

[cristian]

Hi
For over 2 days i'm getting some type of attack every second 2 - 5 connections from diffrent IP's. No password and username only connection.

Unexpected disconnection while reading SMTP command from

Does anyone else have this problem?

HELP: unexpected disconnection while reading SMTP command from

Hello For over 2 days i'm getting some type of attack every second 2 - 5 connections from diffrent IP's. No password and username only connection. Unexpected disconnection while reading SMTP command from Does anyone else have this problem? I have 2 servers attacked I made a script and...

forum.directadmin.com

I updated to the last version but i have the same problem. I hoped the update would fix the problem
Installed version of Exim: 4.94.2
Installed version of exim.conf: 4.5.35

 

[smtalk]

Hello,

I've got an issue with exim after recent update. I'm using an official mirror.
./build update
./build exim
./build exim_conf

Afterward I get the following error:
failed to expand "${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}

I've got this issue on multiple servers.

I think you may have updated just the versions.txt and not the custombuild script?

 

[Erulezz]

I think you may have updated just the versions.txt and not the custombuild script?

See post #16:

Exim vulnerability release

Hey everybody, I saw that Exim has a new security release which looks important: Exim 4.94.2 - security update released Dear Exim-Users Abstract -------- Several exploitable vulnerabilities in Exim were reported to us and are fixed. We have prepared a security release, tagged as...

forum.directadmin.com

Detailed blog post:

21Nails: Multiple Critical Vulnerabilities in Exim Mail Server | Qualys Security Blog

Update May 7, 2021: Exim has released a security update to address multiple vulnerabilities in Exim versions prior to 4.94.2. See the CISA announcement. Original Post: The Qualys Research Team has…

blog.qualys.com

Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server. Most of the vulnerabilities discovered by the Qualys Research Team for e.g. CVE-2020-28017 affects all versions of Exim going back all the way to 2004 (going back to the beginning of its Git history 17 years ago).

 

[mxroute]

Unexpected disconnection while reading SMTP command from

Searched my logs and found the same IPs. Looks like a standard spam attack from a botnet and nothing more. Worth ignoring, I'd say.