Info urgent EXIM vulnerability

Hello,

Thank you for contacting the Sophos Community.

We have reached out internally about this, and once we hear back, we’ll update the post.

Regards,

There is already another post here:

 Exim Schwachstelle 

CVE-Number 2023-42115 which allows remote execution over the network without authentication.

Affected versions: All supported versions, from 4.0 to 4.96. 

Hi,

some updates from the exim maintainers https://seclists.org/oss-sec/2023/q3/254

"Fixes are available in a protected repository and are ready to be applied by the distribution maintainers ..."

Hello Team,

Recently some vulnerabilities for exim have been reported. Vulnerabilities reported are:

CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42219.

Please find more information about Sophos products being vulnerable:

CVE-2023-42114: SFOS + UTM are not vulnerable because the SPA (NTLM) authentication method required to exploit is not used 

 CVE-2023-42115: SFOS + UTM are not vulnerable  because the EXTERNAL authentication method required to exploit is not used 

 CVE-2023-42116: SFOS + UTM are not vulnerable  because the SPA (NTLM) authentication method required to exploit is not used 

 CVE-2023-42117: SFOS + UTM are not vulnerable because the proxy-protocol support required to exploit is not used 

UTM and SFOS are both affected by the libspf2 vulnerability (CVE-2023-42118). Customers using Email Security and have turned on Sender Policy Framework (SPF) are vulnerable to this.

CVE-2023-42219: Under investigation. There's not enough info from exim yet to determine if we're vulnerable, but it's a CVSS 3.1 so lower severity compared to the others. 

Workaround:

Disable SPF using the following steps

For UTM: 

      Turn off SPF in all SMTP profiles under "Email Protection >> SMTP >> Antispam >> Perform SPF check" and 

      "Email Protection >> SMTP Profiles >> [edit profile] >> BATV/RDNS/HELO/SPF/Greylisting >> Perform SPF check" when in profiles mode.

An UTM MR will be released to patch this vulnerability, date is TBD 

Regards,

Thanks, highly appreciated.

Best,

Joerg

4.96.1 released today. Supposedly resolves 2023-42115 and some other CVE's.

Thank you so much! 

What about CVE-2023-42219? Is UTM affected too?

Unfortunately there's not enough details from Exim on CVE-2023-42119 yet to determine whether the UTM is vulnerable. We're still looking for more details from Exim. 

Reading CVE-2023-42119 though, it is an information disclosure (read beyond end of buffer) vulnerability & has a CVSS score of 3.1. My understanding is by itself it doesn't result in arbitrary code execution, RCE is only possible when combined with another vulnerability.

We'll continue to work to determine if UTM is vulnerable as more information from Exim becomes available. 

Hi,

It seems the hotfix has been deployed?

Can you confirm that the hotfix affects the exim vulnerability?

DEBUG     2023-10-04 14:31:12Z [2862]: --pkg_sysupdate_version = 3
DEBUG     2023-10-04 14:36:53Z [4426]: --pkg_sysupdate_version = 3
DEBUG     2023-10-04 14:38:39Z [6723]: --pkg_sysupdate_version = 4
DEBUG     2023-10-04 15:01:10Z [14394]: --pkg_sysupdate_version = 4
DEBUG     2023-10-04 15:06:54Z [15946]: --pkg_sysupdate_version = 4

BR Gerd