Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190909185052.GA20873@spodhuis.org>
Date: Mon, 9 Sep 2019 14:50:52 -0400
From: Phil Pennock <pdp@...m.org>
To: exim-users@...m.org, oss-security@...ts.openwall.com
Subject: Re: Sv: [exim] CVE-2019-15846: Exim - local or remote
 attacker can execute programs with root privileges

On 2019-09-07 at 08:23 +0200, Heiko Schlittermann wrote:
> Phil Pennock <pdp@...m.org> (Sa 07 Sep 2019 02:52:56 CEST):
> > The connect ACL won't protect you against STARTTLS usage, which is far
> > more common for email than TLS-on-connect.
> >
> > I myself use the HELO ACL.
> 
> This doesn't seem to be sufficient, you can start "submitting" a message to
> a remote Exim with the following sequence

Yeah sorry folks, that was a little embarrassing: my setup, and various
common configurations (including apparently RedHat's) enforce
EHLO-after-STARTTLS.  But that's Exim configuration, not hard-enforced
in the code.

"Be lenient in what you accept" ... bah humbug.

Exim's default configuration has included this check, at RCPT time
(which still works for our purposes) since commit 731c6a9043 in 2016,
included in releases 4.87 onwards.

So I use the HELO ACL and it's safe in "many" configurations, but we
have to be more cautious in recommending mitigating workarounds.

-Phil

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.