This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Info urgent EXIM vulnerability

Hi forum,

any intel or comment from Sophos regarding this?  https://www.zerodayinitiative.com/advisories/ZDI-23-1469/

Is SG affected? 

Thanks

Joerg



This thread was automatically locked due to age.
  • Hello,

    Thank you for contacting the Sophos Community.

    We have reached out internally about this, and once we hear back, we’ll update the post.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • There is already another post here:

     Exim Schwachstelle 

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • CVE-Number 2023-42115 which allows remote execution over the network without authentication.

    Affected versions: All supported versions, from 4.0 to 4.96. 

  • Hi,

    some updates from the exim maintainers https://seclists.org/oss-sec/2023/q3/254

    "Fixes are available in a protected repository and are ready to be applied by the distribution maintainers ..."

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Hello Team,

    Recently some vulnerabilities for exim have been reported. Vulnerabilities reported are:

    CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42219.

    Please find more information about Sophos products being vulnerable:

    CVE-2023-42114: SFOS + UTM are not vulnerable because the SPA (NTLM) authentication method required to exploit is not used 

     CVE-2023-42115: SFOS + UTM are not vulnerable  because the EXTERNAL authentication method required to exploit is not used 

     CVE-2023-42116: SFOS + UTM are not vulnerable  because the SPA (NTLM) authentication method required to exploit is not used 

     CVE-2023-42117: SFOS + UTM are not vulnerable because the proxy-protocol support required to exploit is not used 

    UTM and SFOS are both affected by the libspf2 vulnerability (CVE-2023-42118). Customers using Email Security and have turned on Sender Policy Framework (SPF) are vulnerable to this.

    CVE-2023-42219: Under investigation. There's not enough info from exim yet to determine if we're vulnerable, but it's a CVSS 3.1 so lower severity compared to the others. 

    Workaround:

    Disable SPF using the following steps

    For UTM: 

          Turn off SPF in all SMTP profiles under "Email Protection >> SMTP >> Antispam >> Perform SPF check" and 

          "Email Protection >> SMTP Profiles >> [edit profile] >> BATV/RDNS/HELO/SPF/Greylisting >> Perform SPF check" when in profiles mode.

     

    An UTM MR will be released to patch this vulnerability, date is TBD 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thanks, highly appreciated.

    Best,

    Joerg

  • 4.96.1 released today. Supposedly resolves 2023-42115 and some other CVE's.

  • Thank you so much! 

    What about CVE-2023-42219? Is UTM affected too?

  • Unfortunately there's not enough details from Exim on CVE-2023-42119 yet to determine whether the UTM is vulnerable. We're still looking for more details from Exim. 

    Reading CVE-2023-42119 though, it is an information disclosure (read beyond end of buffer) vulnerability & has a CVSS score of 3.1. My understanding is by itself it doesn't result in arbitrary code execution, RCE is only possible when combined with another vulnerability.

    We'll continue to work to determine if UTM is vulnerable as more information from Exim becomes available. 

  • Hi,

    It seems the hotfix has been deployed?

    Can you confirm that the hotfix affects the exim vulnerability?

    DEBUG     2023-10-04 14:31:12Z [2862]: --pkg_sysupdate_version = 3
    DEBUG     2023-10-04 14:36:53Z [4426]: --pkg_sysupdate_version = 3
    DEBUG     2023-10-04 14:38:39Z [6723]: --pkg_sysupdate_version = 4
    DEBUG     2023-10-04 15:01:10Z [14394]: --pkg_sysupdate_version = 4
    DEBUG     2023-10-04 15:06:54Z [15946]: --pkg_sysupdate_version = 4

    BR Gerd