EXIM RCE CVE-2019-15846 URGENT

Youch!  My exim version is 4.82.  The minimum safe build is 4.92.1.

also check out https://www.openwall.com/lists/oss-security/2019/09/04/1

and the interview with Heiko (in german) -> https://marius.bloggt-in-braunschweig.de/2019/09/04/nicht-schon-wieder-ein-root-exploit-im-exim/

problem relies mainly with exim-tls, to be precise in a provided modified SNI string. 

Question would be if utm is vulnerable as the fraudulent sni could be modified/harmonized/normalized before it reaches naked exim. We have to wait for Sophos here to provide fresh intel.

Hi JoergRiether 

This is currently being investigated by our Development team on a priority basis as NUTM-11229. I'll post an update as soon as there's more information available.

Just out of interest, does this team work 24*7 (in ITIL one could say follow the sun) or 8*5? Or anything in between? I think some people here could sleep a little better if the answer is not 8*5.

Best regards

Alex

Tenable has a plugin online https://www.tenable.com/cve/CVE-2019-15846 but i guess this plugin only checks for the banner version string, so imho still valid statement from Sophos urgently needed. Also nothing from rapid7 so far https://www.rapid7.com/db/?q=exim&type= 

Hi Jaydeep,

This is incredible dissatisfying.
Ubuntu and Debian already providing patches for Exim.
Most of us are paying a fortunate to Sophos so we are not facing such issues.
Go and have a look at the official exim site https://www.exim.org/static/doc/security/CVE-2019-15846.txt
You could have investigated this issue for more than a month!

Someone would believe Sophos reacts fast an realiable without us having to ask!

Gregor Streng

Any updates so far?

In June you wrote about this:

https://nakedsecurity.sophos.com/2019/06/07/action-required-exim-mail-servers-need-urgent-patching/

making 4.92 the safest version, today it should be 4.92.2

I am running 9.605 UTM:

How can it be that Exim version is:

Exim version 4.82_1-5b7a7c0-XX #2 built 15-Aug-2018 11:10:24

:-O

I'd like to be informed about this as well. That's why i'm dropping a comment in here...

Maybe it wasn't a good idea to move XG from Self-Built to EXIM...

twister5800 said:

In June you wrote about this:

https://nakedsecurity.sophos.com/2019/06/07/action-required-exim-mail-servers-need-urgent-patching/

The CVE the article you linked to talks about only applies to exim 4.87 and newer, not to 4.82.

I know, they wrote:

"The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realised by the software’s maintainers at the time."

So when that article was written we should already have thr UTM patched to 4.92, but UTm TODAY is still 4.82, meaning more vulnerabilities :-)

First of all, I agree with most being said, but we have to be a little bit careful with the definition of what we are talking about here. Of course, a naked unpatched EXIM is highly vulnerable. With UTM, it may be the case that you do not speak directly with the EXIM, but with a specific reverse middleware, created by Sophos or if you want to call it like that a "normalizer" or proxy, which you would talk to first and this normalizer would then speak to EXIM. In this respect, it may be possible that this normalizer prevents exactly this exploit because it may strip trailing backslashes. But this just needs to be confirmed 100% by Sophos. Further more, I heard or read about of another method using a crafted certificate to trigger the vulnerability.  

First of all, I agree with most being said, but we have to be a little bit careful with the definition of what we are talking about here. Of course, a naked unpatched EXIM is highly vulnerable. With UTM, it may be the case that you do not speak directly with the EXIM, but with a specific reverse middleware, created by Sophos or if you want to call it like that a "normalizer" or proxy, which you would talk to first and this normalizer would then speak to EXIM. In this respect, it may be possible that this normalizer prevents exactly this exploit because it may strip trailing backslashes. But this just needs to be confirmed 100% by Sophos. Further more, I heard or read about of another method using a crafted certificate to trigger the vulnerability.