blob: b52722be16c1e1c067473307eabec855936b9432 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
CVE ID: CVE-2019-15846
Date: 2019-09-02 (CVE assigned)
Credits: Zerons <sironhide0null@gmail.com> for the initial report
Qualys https://www.qualys.com/ for the analysis
Version(s): all versions up to and including 4.92.1
Issue: A local or remote attacker can execute programs with root
privileges.
Conditions to be vulnerable
===========================
If your Exim server accepts TLS connections, it is vulnerable. This does
not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected.
Details
=======
The vulnerability is exploitable by sending a SNI ending in a
backslash-null sequence during the initial TLS handshake. The exploit
exists as a POC. For more details see the document qualys.mbx
Mitigation
==========
Do not offer TLS. (This mitigation is not recommended.)
Fix
===
Download and build a fixed version:
Tarballs: https://ftp.exim.org/pub/exim/exim4/
Git: https://github.com/Exim/exim.git
- tag exim-4.92.2
- branch exim-4.92.2+fixes
The tagged commit is the officially released version. The +fixes branch
isn't officially maintained, but contains the security fix *and* useful
fixes.
If you can't install the above versions, ask your package maintainer for
a version containing the backported fix. On request and depending on our
resources we will support you in backporting the fix. (Please note,
the Exim project officially doesn't support versions prior the current
stable version.)
|