SOLVED Critical Exim Security Vulnerability

Hello,

This vulnerability relies on support for chunking, which is already disabled by default in cPanel versions 62 and newer. Here's the output you should see when confirming that it's disabled:

Code:

# grep chunking /etc/exim*
/etc/exim.conf:chunking_advertise_hosts = 198.51.100.1
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1

Note that 198.51.100.1 is part of a reserved internal IP address block and thus should never be used as part of a live network configuration. It's purpose is documented at:

RFC 5737 - IPv4 Address Blocks Reserved for Documentation

That said, we'll be publishing an autofixer (internal case CPANEL-17092) to further ensure chunking is completely disabled (as opposed to only allowing it for the above mentioned internal IP address block). I'll update this thread again with more information on the status of that case as it becomes available.

Note that cPanel version 60 is unaffected due to the use of Exim version 4.87 (this version doesn't offer chunking support).

Thank you.

 

Hello,

To update, we've published an autofixer that ensures chunking support is disabled in Exim. Autofixers run automatically as part of the nightly cPanel update cron job. After the autofixer is ran, the command referenced in the previous response will show the following output:

Code:

# grep chunking /etc/exim*
/etc/exim.conf:chunking_advertise_hosts=""
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
/etc/exim.conf.local:chunking_advertise_hosts=""

If you need to manually run the autofixer, here's the command to use:

Code:

/scripts/autorepair exim_disable_chunking

Thank you.

 

It seems it is. Checking a server log with updates disabled I see it:

Code:

[2017-11-28 00:40:22 -0500]    - Processing command `/usr/local/cpanel/scripts/autorepair autorepair`
[2017-11-28 00:40:22 -0500]      [13251] Requesting script ... Done
[2017-11-28 00:40:22 -0500]      [13251] Auto Repair is running...Running Auto Repair routines
[2017-11-28 00:40:22 -0500]      [13251] Running autorepair on exim_disable_chunking
[2017-11-28 00:40:24 -0500]      [13251] Configuration file passes test!  New configuration file was installed.

 

You can look through your update log to see all scripts that run during the nightly cron job:

Of course you'd have to look at those scripts that ran to see exactly what they're doing.

 

Hi everyone,

We have created a CKB article so you can track the progress of the patched builds, you can find it at the following link:
CVE-2017-16943 and CVE-2017-16944 Exim - cPanel Knowledge Base - cPanel Documentation

 

I believe this is answered here:
SOLVED - Critical Exim Security Vulnerability

 

Hello @rpvw,

To clarify, cPanel versions 60 and earlier were noted as unaffected because an older version of Exim was utilized with those versions (e.g. Exim 4.87) and chunking support was not enabled. The newer versions of Exim included with supported cPanel versions did offer chunking support, so the autofixer was published to disable chunking (along with the backported CVEs). Since that time, the autofixer is no longer required because we've published Exim version 4.89.1 which includes bug fixes that address the vulnerability:

Code:

# rpm -q --changelog exim
- New upstream release exim-4.89.1-1.cp1162

Thank you.