Exim vulnerability CVE-2023-42115 score 9.5 "critical"

Question

Can someone please confirm if and what Sophos Firewall versions are affected, and if so, what could be a mitigation? 
 Most sources that I found recommended disabling of the MTA, and use "other solutions" like postfix.

Raphael Alganes · Accepted Answer

Hello Team, 
 
 Recently some vulnerabilities for exim have been reported. Vulnerabilities reported are: 
 CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42219. 
 Please find more information about Sophos products being vulnerable: 
 CVE-2023-42114: SFOS + UTM are not vulnerable because the SPA (NTLM) authentication method required to exploit is not used 
 CVE-2023-42115: SFOS + UTM are not vulnerable because the EXTERNAL authentication method required to exploit is not used 
 CVE-2023-42116: SFOS + UTM are not vulnerable because the SPA (NTLM) authentication method required to exploit is not used 
 CVE-2023-42117: SFOS + UTM are not vulnerable because the proxy-protocol support required to exploit is not used 
 UTM and SFOS are both affected by the libspf2 vulnerability (CVE-2023-42118). Customers using Email Security and have turned on Sender Policy Framework (SPF) are vulnerable to this. 
 CVE-2023-42219: Under investigation. There's not enough info from exim yet to determine if we're vulnerable, but it's a CVSS 3.1 so lower severity compared to the others. 
 Workaround: 
 Disable SPF using the following steps 
 SFOS: 
 &ensp;&ensp;&ensp;&ensp;&ensp;&ensp;Turn off SPF in all (MTA mode) SMTP policies under "Email >> Policies & exceptions >> [edit policy] >> Spam protection >> Reject based on SPF". 
 
 An SFOS hotfix will be released to patch this vulnerability by 5 th October.

bobbylam · Answer

The SFOS hotfix which patches CVE-2023-42218 has been released.

Raphael Alganes · Answer

Hello, 
 Please refer to this KBA for updates and how to check if Hotfix has been applied to your SF: https://support.sophos.com/support/s/article/KB-000045705?language=en_US 
 Regards,

somename · Answer

I think grep "sfsysupdate_NC-125369.tar.gz.sig passed integrity" /log/u2d.log -A 6 
 is a much better command to check, because you see, if the hotfix applied. 
 # grep "sfsysupdate_NC-125369.tar.gz.sig passed integrity" /log/u2d.log -A 6
2023-10-04 14:40:29Z dr_dload_checker: Download for file sfsysupdate_NC-125369.tar.gz.sig passed integrity and sig checks
Wed Oct 04 16:40:29 2023 [Hotfix]: Affected version '<VERSION>' found
Wed Oct 04 16:40:29 2023 [Hotfix]: Stopping services
Wed Oct 04 16:40:29 2023 [Hotfix]: Backing up original files
Wed Oct 04 16:40:29 2023 [Hotfix]: Copying files
Wed Oct 04 16:40:29 2023 [Hotfix]: Restarting services
Wed Oct 04 16:40:29 2023 [Hotfix]: Start service: smtpd

Exim vulnerability CVE-2023-42115 score 9.5 "critical"

Top Replies