SOLVED Critical Exim Security Vulnerability

lorio

Well-Known Member
Feb 25, 2004
313
20
168
cPanel Access Level
Root Administrator

lorio

Well-Known Member
Feb 25, 2004
313
20
168
cPanel Access Level
Root Administrator
In a typical CPanel setup I find "setup chunking_advertise_hosts" set to one Test-IP
cPanel Default: 198.51.100.1

So the impact would be limited on connections via this IP (real or spoofed)?
Wonder why CPanel did add just that IP instead keep the value empty.

Hopefully I haven't overlooked any thread about this issue here on the forum.
Seemed be already discussed on different boards over the weekend.
Critical Exim Security Vulnerability: disable chunking | Web Hosting Talk
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

This vulnerability relies on support for chunking, which is already disabled by default in cPanel versions 62 and newer. Here's the output you should see when confirming that it's disabled:

Code:
# grep chunking /etc/exim*
/etc/exim.conf:chunking_advertise_hosts = 198.51.100.1
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
Note that 198.51.100.1 is part of a reserved internal IP address block and thus should never be used as part of a live network configuration. It's purpose is documented at:

RFC 5737 - IPv4 Address Blocks Reserved for Documentation

That said, we'll be publishing an autofixer (internal case CPANEL-17092) to further ensure chunking is completely disabled (as opposed to only allowing it for the above mentioned internal IP address block). I'll update this thread again with more information on the status of that case as it becomes available.

Note that cPanel version 60 is unaffected due to the use of Exim version 4.87 (this version doesn't offer chunking support).

Thank you.
 
  • Like
Reactions: linux4me2

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

To update, we've published an autofixer that ensures chunking support is disabled in Exim. Autofixers run automatically as part of the nightly cPanel update cron job. After the autofixer is ran, the command referenced in the previous response will show the following output:

Code:
# grep chunking /etc/exim*
/etc/exim.conf:chunking_advertise_hosts=""
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
/etc/exim.conf.local:chunking_advertise_hosts=""
If you need to manually run the autofixer, here's the command to use:

Code:
/scripts/autorepair exim_disable_chunking
Thank you.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
The autofixer ran perfectly, and changed the chunking settings exactly as indicated above.

Another great job from cPanel devs :cool:
 
  • Like
Reactions: Infopro

sparek-3

Well-Known Member
Aug 10, 2002
2,021
227
368
cPanel Access Level
Root Administrator
Perhaps a bit off-topic here...

Is the autofixer suppose to run if you have automatic updates disabled? At either rate, it did run.

I'd kind of prefer to be able to review changes before cPanel starts making changes to configuration options on our servers. Not that this particular fixed caused any adverse affects.
 

Infopro

Well-Known Member
May 20, 2003
17,091
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Is the autofixer suppose to run if you have automatic updates disabled?
It seems it is. Checking a server log with updates disabled I see it:
Code:
[2017-11-28 00:40:22 -0500]    - Processing command `/usr/local/cpanel/scripts/autorepair autorepair`
[2017-11-28 00:40:22 -0500]      [13251] Requesting script ... Done
[2017-11-28 00:40:22 -0500]      [13251] Auto Repair is running...Running Auto Repair routines
[2017-11-28 00:40:22 -0500]      [13251] Running autorepair on exim_disable_chunking
[2017-11-28 00:40:24 -0500]      [13251] Configuration file passes test!  New configuration file was installed.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,021
227
368
cPanel Access Level
Root Administrator
It ran on mine too and I have auto updates disabled.

But luckily this update did not break anything, although I did get several notices from all of our servers this morning telling me that the Exim configuration had changed (customized monitoring system). That's really the only way I knew this had run, although I did see this thread yesterday and was watching it.

I'm not necessarily complaining about this particular autofix running - but I just don't know if that was the best thing to do. Makes me wonder, what else can cPanel change on my servers without me knowing about it?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,021
227
368
cPanel Access Level
Root Administrator
Meh.. you could, and I might have to write something to keep tabs on that, so I can at least be notified - "Guess what ran last night that may have borked your server"

Probably a better solution would be for the upcp cron to send a notification message to the server administrator about these if auto updates is disabled. Or maybe I'm just assuming too much, that if you have auto updates disabled, then you are actively checking your emails and the cPanel forums.

I'm really getting this thread off topic.
 
  • Like
Reactions: Archmactrix

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
Sorry to be a pain, but no-one has answered the question about the exim_disable_chunking issue, and if we need to run the autofixer script (if it still exists and still works), or edit or revert to the chunking_advertise_hosts="" setting ?
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
Darn I missed that....if you hadn't stolen my glasses I might have seen it :(

Thanks Infopro - one less thing to worry about !

I am somewhat surprised why the Exim configuration still has chunking_advertise_hosts = 198.51.100.1 and hosts_try_chunking = 198.51.100.1 for remote_smpt and dkim_remote_smtp if Exim 4.89-3 does not offer chunking support.
 
Last edited:
  • Like
Reactions: Infopro

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello @rpvw,

To clarify, cPanel versions 60 and earlier were noted as unaffected because an older version of Exim was utilized with those versions (e.g. Exim 4.87) and chunking support was not enabled. The newer versions of Exim included with supported cPanel versions did offer chunking support, so the autofixer was published to disable chunking (along with the backported CVEs). Since that time, the autofixer is no longer required because we've published Exim version 4.89.1 which includes bug fixes that address the vulnerability:

Code:
# rpm -q --changelog exim
- New upstream release exim-4.89.1-1.cp1162
Thank you.
 
  • Like
Reactions: rpvw and Infopro