What about CVE-2018-6789

Hi folks,

 

any news about new CVE-2018-6789?

Is there a patch release on the air for UTM?

In 9.508 version seems not present.

The alert is reported also in nakedsecurity

 

Cheers

Max.

  • Ciao Max,

    Interesting, but I wonder if the stripped-down, hardened version of Exim in use in the UTM has this exposure.  Since it deals with base64d, I would think that the Proxy would have to use that before it could do antivirus or antispam.   Still, I think any exploit would be limited to Exim because the Proxy is chroot'd.

    Let's hope a Sophos person sees this and gets a comment from their specialist.

    Cheers - Bob

  • Hi  

    There is currently a patch in development to address this vulnerability, I will update this thread with the latest news I receive.

    Regards,

    FloSupport | Community Support Engineer

  • In reply to FloSupport:

    This is one of the cases where I would wish Sophos had a different approach to patches.
    Suppose there is then a 9.509 patch that fixes this problem.
    Due to the incremental strategy, I am forced to install 9.508 as well, knowing that I will have problems with SMIME, as this problem is probably not solved by then. Therefore, I can choose safety or functionality.
    Is the concept of the XG the same as that of the UTM? If not, that might be an argument for it.
    It's not a wish list, but sometimes separating functional and security updates would have great advantages.
    If so, a 9.506-3 would be desirable.
    But now enough of the criticism.

    Best
    Alex

  • Hi Community,

    Wanted to update this thread. Please see the recently posted KBA regarding this. A prefix patch is now available. Customers who want this patch should contact Sophos Support.

    Regards,

    FloSupport | Community Support Engineer

  • In reply to FloSupport:

    Many thanks for your support.

    Max.

  • In reply to FloSupport:

    Hello,

    it's quit more than a week now, and the bug is critical: Do you have reliable news about the official release?

    Regards, Peter

  • In reply to pebo:

    Hi  

    This patch should be included in the next UTM 9.509 release, which is tentatively scheduled to be released next week. However, if you require this patch immediately, I would advise that you open a support case to request this to be installed for you.

    Regards,

    FloSupport | Community Support Engineer

  • In reply to FloSupport:

    Hey Community,

    The patch has been included in the UTM 9.509 release. The release will be rolled out in phases. In phase 1 you can download the update package from our FTP server, in phase 2 we will spread it via our Up2Date servers.

    Best,

  • In reply to FloSupport:

    Many thanks for the support.

    I confirm today the fix with new update 9.509-3:

    Bugfixes

    NUTM-9619 [Email] CVE-2018-6789: buffer overflow in base64d function in SMTP listener

     

    Max.