Info urgent EXIM vulnerability

Question

Hi forum, 
 
 any intel or comment from Sophos regarding this? https://www.zerodayinitiative.com/advisories/ZDI-23-1469/ 
 
 Is SG affected? 
 
 Thanks 
 Joerg

Raphael Alganes · Answer

Hello Team, 
 
 Recently some vulnerabilities for exim have been reported. Vulnerabilities reported are: 
 CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42219. 
 Please find more information about Sophos products being vulnerable: 
 CVE-2023-42114: SFOS + UTM are not vulnerable because the SPA (NTLM) authentication method required to exploit is not used 
 CVE-2023-42115: SFOS + UTM are not vulnerable because the EXTERNAL authentication method required to exploit is not used 
 CVE-2023-42116: SFOS + UTM are not vulnerable because the SPA (NTLM) authentication method required to exploit is not used 
 CVE-2023-42117: SFOS + UTM are not vulnerable because the proxy-protocol support required to exploit is not used 
 UTM and SFOS are both affected by the libspf2 vulnerability (CVE-2023-42118). Customers using Email Security and have turned on Sender Policy Framework (SPF) are vulnerable to this. 
 CVE-2023-42219: Under investigation. There's not enough info from exim yet to determine if we're vulnerable, but it's a CVSS 3.1 so lower severity compared to the others. 
 Workaround: 
 Disable SPF using the following steps 
 For UTM: 
 &ensp;&ensp;&ensp;&ensp;&ensp;&ensp;Turn off SPF in all SMTP profiles under "Email Protection >> SMTP >> Antispam >> Perform SPF check" and 
 &ensp;&ensp;&ensp;&ensp;&ensp;&ensp;"Email Protection >> SMTP Profiles >> [edit profile] >> BATV/RDNS/HELO/SPF/Greylisting >> Perform SPF check" when in profiles mode. 
 
 An UTM MR will be released to patch this vulnerability, date is TBD 
 
 Regards,

bobbylam · Answer

Unfortunately there's not enough details from Exim on CVE-2023-42119 yet to determine whether the UTM is vulnerable. We're still looking for more details from Exim. 
 Reading CVE-2023-42119 though, it is an information disclosure (read beyond end of buffer) vulnerability & has a CVSS score of 3.1. My understanding is by itself it doesn't result in arbitrary code execution, RCE is only possible when combined with another vulnerability. 
 We'll continue to work to determine if UTM is vulnerable as more information from Exim becomes available.

Info urgent EXIM vulnerability

Top Replies