Exim vulnerability CVE-2023-42115 score 9.5 "critical"

Hello Team,

Recently some vulnerabilities for exim have been reported. Vulnerabilities reported are:

CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42219.

Please find more information about Sophos products being vulnerable:

CVE-2023-42114: SFOS + UTM are not vulnerable because the SPA (NTLM) authentication method required to exploit is not used 

 CVE-2023-42115: SFOS + UTM are not vulnerable  because the EXTERNAL authentication method required to exploit is not used 

 CVE-2023-42116: SFOS + UTM are not vulnerable  because the SPA (NTLM) authentication method required to exploit is not used 

 CVE-2023-42117: SFOS + UTM are not vulnerable because the proxy-protocol support required to exploit is not used 

UTM and SFOS are both affected by the libspf2 vulnerability (CVE-2023-42118). Customers using Email Security and have turned on Sender Policy Framework (SPF) are vulnerable to this.

CVE-2023-42219: Under investigation. There's not enough info from exim yet to determine if we're vulnerable, but it's a CVSS 3.1 so lower severity compared to the others. 

Workaround:

Disable SPF using the following steps

SFOS:

      Turn off SPF in all (MTA mode) SMTP policies under "Email >> Policies & exceptions >> [edit policy] >> Spam protection >> Reject based on SPF".

An SFOS hotfix will be released to patch this vulnerability by 5^th October.

The SFOS hotfix which patches CVE-2023-42218 has been released. 

Good news!

but how can i determine if the hotfix has been installed? Currently I get "Hot fix version: 4" (system diagnostic show version-info).

Best regards

Michael

Hello, 

Please refer to this KBA for updates and how to check if Hotfix has been applied to your SF: https://support.sophos.com/support/s/article/KB-000045705?language=en_US

Regards,

I think
 

grep "sfsysupdate_NC-125369.tar.gz.sig passed integrity" /log/u2d.log -A 6

is a much better command to check, because you see, if the hotfix applied.

# grep "sfsysupdate_NC-125369.tar.gz.sig passed integrity" /log/u2d.log -A 6
2023-10-04 14:40:29Z dr_dload_checker: Download for file sfsysupdate_NC-125369.tar.gz.sig passed integrity and sig checks
Wed Oct 04 16:40:29 2023 [Hotfix]: Affected version '<VERSION>' found
Wed Oct 04 16:40:29 2023 [Hotfix]: Stopping services
Wed Oct 04 16:40:29 2023 [Hotfix]: Backing up original files
Wed Oct 04 16:40:29 2023 [Hotfix]: Copying files
Wed Oct 04 16:40:29 2023 [Hotfix]: Restarting services
Wed Oct 04 16:40:29 2023 [Hotfix]: Start service: smtpd

I think
 

grep "sfsysupdate_NC-125369.tar.gz.sig passed integrity" /log/u2d.log -A 6

is a much better command to check, because you see, if the hotfix applied.

# grep "sfsysupdate_NC-125369.tar.gz.sig passed integrity" /log/u2d.log -A 6
2023-10-04 14:40:29Z dr_dload_checker: Download for file sfsysupdate_NC-125369.tar.gz.sig passed integrity and sig checks
Wed Oct 04 16:40:29 2023 [Hotfix]: Affected version '<VERSION>' found
Wed Oct 04 16:40:29 2023 [Hotfix]: Stopping services
Wed Oct 04 16:40:29 2023 [Hotfix]: Backing up original files
Wed Oct 04 16:40:29 2023 [Hotfix]: Copying files
Wed Oct 04 16:40:29 2023 [Hotfix]: Restarting services
Wed Oct 04 16:40:29 2023 [Hotfix]: Start service: smtpd