This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Shellshock for Exim

Has anyone heard anything from Sophos about this?  Report: Criminals use Shellshock against mail servers to build botnet

Cheers - Bob


This thread was automatically locked due to age.
  • Hi Bob,

    Bash was reportedly patched in 9.2008; see 
    https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22420

    some more info at
    Sophos products and the Bash vulnerability (Shellshock)
    although the up2date doesn't seem to be mentioned, it does state that the UTM can't execute bash from any exposed services. Hopefully that applies to 8.x and 9.1x as well.

    Barry
  • Barry, the way I read the warning was that it's one of the processes that Exim does with the contents of the header.  The internal processes of Exim are in question, not the exposed processes.  I don't know which cgi scripts are used by the UTM in Exim, nor whether the bash fix took this new (discovered last week) exploit into account, so I don't know whether to worry about this.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • My guess is that since Bash was patched against ShellShock, at least the 9.2008 system should be safe.

    A statement from Sophos about version 8 and 9.1x would be appreciated.

    Barry
  • Bob - Exim would not be vulnerable to bash.  If exim uses bash in a script, bash may be vulnerable.  However, if bash is patched, other products using bash (like Exim, apache, etc.) would be safe as well.

    That being said, and slightly off topic, it still may be vulnerable (and I think it is) to POODLE attacks aimed at SSLv3 support in services like exim, etc..
  • OK, I've read some more and have concluded that you and Barry are correct.  I need to tickle a couple of my clients to get them to install 9.208.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA