Date: Fri, 24 Nov 2017 23:35:23 -0500 From: Phil Pennock <phil.pennock@...dhuis.org> To: oss-security@...ts.openwall.com Subject: Re: RCE in Exim reported On 2017-11-24 at 22:59 -0500, Phil Pennock wrote: > A complete mitigation is to disable advertising the CHUNKING extension, > in which case an attempt to use the BDAT verb should result in: > > 503 BDAT command used when CHUNKING not advertised Note: some distributions only ship older versions of Exim, so emphasis on "introduced with Exim 4.88". If you have an older version, you're safe. If you telnet to your mail-server on port 25 and issue the EHLO command, and look at the list of SMTP extensions offered, then the CHUNKING extension needs to be listed for you to be vulnerable. Exim administratively blocks use of the BDAT verb in sessions where the CHUNKING extension was not advertized. Thus: chunking_advertise_hosts = is a _complete_ workaround. On older Exim, the BDAT verb (after MAIL and RCPT) should yield: 500 unrecognized command On safe Exim, it should yield: 503 BDAT command used when CHUNKING not advertised If you get a 2xx response to BDAT, and you're not using pipelined verbs and confusing the response to the MAIL verb with the response to the BDAT verb, then you haven't disabled CHUNKING. Regards, -Phil Download attachment "signature.asc" of type "application/pgp-signature" (997 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ