Hi, this seems to be urgent to me as this is remote exploitable. Any update from Sophos for UTM regarding this? Thanks Joerg
https://seclists.org/oss-sec/2019/q3/192
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15846
also check out https://www.openwall.com/lists/oss-security/2019/09/04/1
and the interview with Heiko (in german) -> https://marius.bloggt-in-braunschweig.de/2019/09/04/nicht-schon-wieder-ein-root-exploit-im-exim/
problem relies mainly with exim-tls, to be precise in a provided modified SNI string.
Question would be if utm is vulnerable as the fraudulent sni could be modified/harmonized/normalized before it reaches naked exim. We have to wait for Sophos here to provide fresh intel.
JoergRiether said:also check out https://www.openwall.com/lists/oss-security/2019/09/04/1
and the interview with Heiko (in german) -> https://marius.bloggt-in-braunschweig.de/2019/09/04/nicht-schon-wieder-ein-root-exploit-im-exim/
problem relies mainly with exim-tls, to be precise in a provided modified SNI.
Question would be if utm is vulnerable as the fraudulent sni could be modified/harmonized/normalized before it reaches naked exim. We have to wait for Sophos here.
I hope they are taking this seriously because I'm already reading about thousands of sites (mostly wordpress) being ransomware encrypted with LILU and the intrusion vector is this vulnerability with exim.
Tenable has a plugin online https://www.tenable.com/cve/CVE-2019-15846 but i guess this plugin only checks for the banner version string, so imho still valid statement from Sophos urgently needed. Also nothing from rapid7 so far https://www.rapid7.com/db/?q=exim&type=
Hi Jaydeep,
This is incredible dissatisfying.
Ubuntu and Debian already providing patches for Exim.
Most of us are paying a fortunate to Sophos so we are not facing such issues.
Go and have a look at the official exim site https://www.exim.org/static/doc/security/CVE-2019-15846.txt
You could have investigated this issue for more than a month!
Someone would believe Sophos reacts fast an realiable without us having to ask!
Gregor Streng
In June you wrote about this:
https://nakedsecurity.sophos.com/2019/06/07/action-required-exim-mail-servers-need-urgent-patching/
making 4.92 the safest version, today it should be 4.92.2
I am running 9.605 UTM:
How can it be that Exim version is:
Exim version 4.82_1-5b7a7c0-XX #2 built 15-Aug-2018 11:10:24
:-O
-----
Best regards
Martin
Sophos XGS 2100 @ Home | Sophos v20 Architect
I'd like to be informed about this as well. That's why i'm dropping a comment in here...
Maybe it wasn't a good idea to move XG from Self-Built to EXIM...
Please send me Spam gueselkuebel@sg-utm.also-solutions.ch
twister5800 said:In June you wrote about this:https://nakedsecurity.sophos.com/2019/06/07/action-required-exim-mail-servers-need-urgent-patching/
The CVE the article you linked to talks about only applies to exim 4.87 and newer, not to 4.82.
I know, they wrote:
"The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realised by the software’s maintainers at the time."
So when that article was written we should already have thr UTM patched to 4.92, but UTm TODAY is still 4.82, meaning more vulnerabilities :-)
-----
Best regards
Martin
Sophos XGS 2100 @ Home | Sophos v20 Architect
I know, they wrote:
"The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realised by the software’s maintainers at the time."
So when that article was written we should already have thr UTM patched to 4.92, but UTm TODAY is still 4.82, meaning more vulnerabilities :-)
-----
Best regards
Martin
Sophos XGS 2100 @ Home | Sophos v20 Architect
First of all, I agree with most being said, but we have to be a little bit careful with the definition of what we are talking about here. Of course, a naked unpatched EXIM is highly vulnerable. With UTM, it may be the case that you do not speak directly with the EXIM, but with a specific reverse middleware, created by Sophos or if you want to call it like that a "normalizer" or proxy, which you would talk to first and this normalizer would then speak to EXIM. In this respect, it may be possible that this normalizer prevents exactly this exploit because it may strip trailing backslashes. But this just needs to be confirmed 100% by Sophos. Further more, I heard or read about of another method using a crafted certificate to trigger the vulnerability.
twister5800 said:So when that article was written we should already have thr UTM patched to 4.92, but UTm TODAY is still 4.82, meaning more vulnerabilities :-)
I am not claiming to be the wiser here, but try to search Google for "Exim version 4.82_1-5b7a7c0-XX", you will find a lot of appliances using this build, I have seen them with -<number> at the end also?
maybe i could learn something here :-)
Regardsless, the release notes for UTM, on have EXIM in it in the 9.508 release:
"Fix [NUTM-9252]: [Email] Patch Exim for CVE-2014-2972 and CVE-2016-9963"
So from this:
Then there should be som work in progress right?
----
None the less, i hope for a quick fix from Sophos, as apparently EXIM 4.82 is not backported for
-----
Best regards
Martin
Sophos XGS 2100 @ Home | Sophos v20 Architect
