This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EXIM RCE CVE-2019-15846 URGENT

Hi, this seems to be urgent to me as this is remote exploitable. Any update from Sophos for UTM regarding this? Thanks Joerg

 

https://seclists.org/oss-sec/2019/q3/192

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15846

https://www.heise.de/security/meldung/Mailserver-Exim-CERT-Bund-kuendigt-Update-fuer-kritische-Schwachstelle-an-4514414.html

 



This thread was automatically locked due to age.
  • I'd like to be informed about this as well. That's why i'm dropping a comment in here...

     

    Maybe it wasn't a good idea to move XG from Self-Built to EXIM...

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • twister5800 said:

     

    The CVE the article you linked to talks about only applies to exim 4.87 and newer, not to 4.82.

  • I know, they wrote:

    "The next release, version 4.92, fixed the problem on 10 February 2019 although that wasn’t realised by the software’s maintainers at the time."

    So when that article was written we should already have thr UTM patched to 4.92, but UTm TODAY is still 4.82, meaning more vulnerabilities :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • First of all, I agree with most being said, but we have to be a little bit careful with the definition of what we are talking about here. Of course, a naked unpatched EXIM is highly vulnerable. With UTM, it may be the case that you do not speak directly with the EXIM, but with a specific reverse middleware, created by Sophos or if you want to call it like that a "normalizer" or proxy, which you would talk to first and this normalizer would then speak to EXIM. In this respect, it may be possible that this normalizer prevents exactly this exploit because it may strip trailing backslashes. But this just needs to be confirmed 100% by Sophos. Further more, I heard or read about of another method using a crafted certificate to trigger the vulnerability.  

  • twister5800 said:

    So when that article was written we should already have thr UTM patched to 4.92, but UTm TODAY is still 4.82, meaning more vulnerabilities :-)

     

     
    No, a version number says almost nothing if you dont know how its maintained. It is common to backport the fixes to older versions, as testing new releases is more expensive.
     So this is most likely a custom hardened version 4.82
     
  • I am not claiming to be the wiser here, but try to search Google for "Exim version 4.82_1-5b7a7c0-XX", you will find a lot of appliances using this build, I have seen them with -<number> at the end also?

    maybe i could learn something here :-)

     

    Regardsless, the release notes for UTM, on have EXIM in it in the 9.508 release:

     

    "Fix [NUTM-9252]: [Email] Patch Exim for CVE-2014-2972 and CVE-2016-9963"

    So from this:

    https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/version_id-170893/Exim-Exim-4.82.html

    Then there should be som work in progress right?

    ----

    None the less, i hope for a quick fix from Sophos, as apparently EXIM 4.82 is not backported for 

    CVE-2019-15846

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • All, Through our reseller I received the following reply from Sophos support: We are not impacted on both (XG and UTM) as we strip such headers before it reach to forwarder. But we will add the patch in upcoming MR to avoid any future issues. Cyberoam don’t use Exim at all so not affected. We are working on a notification for this and should be made available soon.
  • that's great news, thanks ;-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Hi We have also just published the following KBA confirming the status of this CVE across our email products: community.sophos.com/.../134597
  • Hello Folks,

    We have released this KBA yesterday Exim CVE-2019-15846 and Sophos Products This vulnerability is not exploitable on any Sophos products, see the table below for more information.

    Product Vulnerable Further information
    Sophos XG Firewall No The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. *
    Sophos UTM No The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. *
    Sophos Email on Central No Product doesn't utilize Exim
    Sophos Email Appliance No Product doesn't utilize Exim
    Puremessage for Unix No Product doesn't utilize Exim
    Puremessage for Exchange No Product doesn't utilize Exim
    Cyberoam No Product doesn't utilize Exim
    Reflexion No  Product doesn't utilize Exim 


    * Despite this vulnerability not being exploitable due to the current architecture of the Sophos XG and Sophos UTM products, we do still plan on releasing a patch for Exim on these platforms in an upcoming Maintenance Release.

    I hope this clarifies any doubts you have.

    Regards

    Jaydeep