Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 29 Sep 2023 18:59:14 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: zdi@...ndmicro.com
Subject: Re: Exim4 MTA CVEs assigned from ZDI

Hi,

Thank you for posting this, Heiko!  Also thank you Markus for bringing
this up in the other thread:

https://www.openwall.com/lists/oss-security/2023/09/29/3

I've attached plain text exports of the ZDI advisories to this message
for archival.

Out of the Exim Bugzilla entries in Markus' message, only
https://bugs.exim.org/show_bug.cgi?id=3001 is currently open to the
public, and it says:

> Bug 3001 - infoleak in SPA authenticator, client
> 
> Comment 1 Jeremy Harris 2023-05-11 20:02:32 UTC
> 
> ZDI-CAN-17433 (Trend Micro)
> 
> A crafted SPA challenge from the server can cause the client authenticator
> to read OOB; the data is then returned to the server.
> 
> Fix: validate the offset contained in the challenge, to avoid reading
> past the end of the challenge data structure.
> 
> Vulnerable since at least 4.50, probably longer.
> 
> Comment 2 Heiko Schlittermann 2023-09-29 16:01:58 UTC
> 
> should be fixed in 04107e98d58efb69f7e2d7b81176e5374c7098a3

On Fri, Sep 29, 2023 at 06:06:11PM +0200, Heiko Schlittermann wrote:
> the ZDI assigned multiple CVEs to the Exim-MTA and published them
> recently:
> 
> CVE            Link                                                      Exim-Bug
> --------------+---------------------------------------------------------+-----
> CVE-2023-42114 https://www.zerodayinitiative.com/advisories/ZDI-23-1468/  3001 fixed
> CVE-2023-42115 https://www.zerodayinitiative.com/advisories/ZDI-23-1469/  2999 fixed
> CVE-2023-42116 https://www.zerodayinitiative.com/advisories/ZDI-23-1470/  3000 fixed
> CVE-2023-42117 https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
> CVE-2023-42118 https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
> CVE-2023-42119 https://www.zerodayinitiative.com/advisories/ZDI-23-1473/ 
> 
> The ZDI contacted us in June 2022. We asked about details but didn't get
> answers we were able to work with.
> 
> Next contact with ZDI was in May 2023. Right after this contact we
> created project bug tracker for 3 of the 6 issues. 2 high scored of them
> are fixed (OOB access). A minor scored (info leak) is fixed too.
> 
> Fixes are available in a protected repository and are ready to be
> applied by the distribution maintainers.

Are distros allowed to make their updates public as soon as they can
(presumably after requesting access to the protected repository)?

I suggest that you set a specific date/time e.g. in 2 days from now when
both the Exim project will make the repo and the fixed bug entries (2999
and 3000) public _and_ distros will release updates.

> The remaining issues are debatable or miss information we need to fix
> them.
> 
> We're more than happy to provide fixes for all issues as soon as we
> receive detailed information.

Are you actively requesting such information from ZDI now?

This looks like sloppy handling of these issues so far by both ZDI and
Exim - neither team pinging the other for 10 months, then Exim taking 4
months to fix even the 2 high-scored issues it did have sufficient info
on.  What are you doing to improve the handling from this point on?

Thanks again,

Alexander

View attachment "ZDI-23-1468-ZDI-CAN-17433-CVE-2023-42114.txt" of type "text/plain" (2458 bytes)

View attachment "ZDI-23-1469-ZDI-CAN-17434-CVE-2023-42115.txt" of type "text/plain" (2432 bytes)

View attachment "ZDI-23-1470-ZDI-CAN-17515-CVE-2023-42116.txt" of type "text/plain" (2442 bytes)

View attachment "ZDI-23-1471-ZDI-CAN-17554-CVE-2023-42117.txt" of type "text/plain" (2448 bytes)

View attachment "ZDI-23-1472-ZDI-CAN-17578-CVE-2023-42118.txt" of type "text/plain" (2436 bytes)

View attachment "ZDI-23-1473-ZDI-CAN-17643-CVE-2023-42119.txt" of type "text/plain" (2436 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.