EXIM RCE CVE-2019-15846 URGENT

  • In reply to EdmundSackbauer:

    I am not claiming to be the wiser here, but try to search Google for "Exim version 4.82_1-5b7a7c0-XX", you will find a lot of appliances using this build, I have seen them with -<number> at the end also?

    maybe i could learn something here :-)

     

    Regardsless, the release notes for UTM, on have EXIM in it in the 9.508 release:

     

    "Fix [NUTM-9252]: [Email] Patch Exim for CVE-2014-2972 and CVE-2016-9963"

    So from this:

    https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/version_id-170893/Exim-Exim-4.82.html

    Then there should be som work in progress right?

    ----

    None the less, i hope for a quick fix from Sophos, as apparently EXIM 4.82 is not backported for 

    CVE-2019-15846

  • In reply to twister5800:

    All, Through our reseller I received the following reply from Sophos support: We are not impacted on both (XG and UTM) as we strip such headers before it reach to forwarder. But we will add the patch in upcoming MR to avoid any future issues. Cyberoam don’t use Exim at all so not affected. We are working on a notification for this and should be made available soon.
  • In reply to FrancWest:

    that's great news, thanks ;-)

  • In reply to twister5800:

    Hi We have also just published the following KBA confirming the status of this CVE across our email products: community.sophos.com/.../134597
  • Hello Folks,

    We have released this KBA yesterday Exim CVE-2019-15846 and Sophos Products This vulnerability is not exploitable on any Sophos products, see the table below for more information.

    Product Vulnerable Further information
    Sophos XG Firewall No The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. *
    Sophos UTM No The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. *
    Sophos Email on Central No Product doesn't utilize Exim
    Sophos Email Appliance No Product doesn't utilize Exim
    Puremessage for Unix No Product doesn't utilize Exim
    Puremessage for Exchange No Product doesn't utilize Exim
    Cyberoam No Product doesn't utilize Exim
    Reflexion No  Product doesn't utilize Exim 


    * Despite this vulnerability not being exploitable due to the current architecture of the Sophos XG and Sophos UTM products, we do still plan on releasing a patch for Exim on these platforms in an upcoming Maintenance Release.

    I hope this clarifies any doubts you have.