Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Critical Exim Security Vulnerability

Discussion in 'E-mail Discussions' started by lorio, Nov 27, 2017.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    267
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
  2. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    267
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    In a typical CPanel setup I find "setup chunking_advertise_hosts" set to one Test-IP
    cPanel Default: 198.51.100.1

    So the impact would be limited on connections via this IP (real or spoofed)?
    Wonder why CPanel did add just that IP instead keep the value empty.

    Hopefully I haven't overlooked any thread about this issue here on the forum.
    Seemed be already discussed on different boards over the weekend.
    Critical Exim Security Vulnerability: disable chunking | Web Hosting Talk
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,455
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This vulnerability relies on support for chunking, which is already disabled by default in cPanel versions 62 and newer. Here's the output you should see when confirming that it's disabled:

    Code:
    # grep chunking /etc/exim*
    /etc/exim.conf:chunking_advertise_hosts = 198.51.100.1
    /etc/exim.conf:  hosts_try_chunking = 198.51.100.1
    /etc/exim.conf:  hosts_try_chunking = 198.51.100.1
    Note that 198.51.100.1 is part of a reserved internal IP address block and thus should never be used as part of a live network configuration. It's purpose is documented at:

    RFC 5737 - IPv4 Address Blocks Reserved for Documentation

    That said, we'll be publishing an autofixer (internal case CPANEL-17092) to further ensure chunking is completely disabled (as opposed to only allowing it for the above mentioned internal IP address block). I'll update this thread again with more information on the status of that case as it becomes available.

    Note that cPanel version 60 is unaffected due to the use of Exim version 4.87 (this version doesn't offer chunking support).

    Thank you.
     
    linux4me2 likes this.
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,455
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, we've published an autofixer that ensures chunking support is disabled in Exim. Autofixers run automatically as part of the nightly cPanel update cron job. After the autofixer is ran, the command referenced in the previous response will show the following output:

    Code:
    # grep chunking /etc/exim*
    /etc/exim.conf:chunking_advertise_hosts=""
    /etc/exim.conf:  hosts_try_chunking = 198.51.100.1
    /etc/exim.conf:  hosts_try_chunking = 198.51.100.1
    /etc/exim.conf.local:chunking_advertise_hosts=""
    If you need to manually run the autofixer, here's the command to use:

    Code:
    /scripts/autorepair exim_disable_chunking
    Thank you.
     
  5. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    578
    Likes Received:
    177
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The autofixer ran perfectly, and changed the chunking settings exactly as indicated above.

    Another great job from cPanel devs :cool:
     
    Infopro likes this.
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,545
    Likes Received:
    44
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Perhaps a bit off-topic here...

    Is the autofixer suppose to run if you have automatic updates disabled? At either rate, it did run.

    I'd kind of prefer to be able to review changes before cPanel starts making changes to configuration options on our servers. Not that this particular fixed caused any adverse affects.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,997
    Likes Received:
    339
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    It seems it is. Checking a server log with updates disabled I see it:
    Code:
    [2017-11-28 00:40:22 -0500]    - Processing command `/usr/local/cpanel/scripts/autorepair autorepair`
    [2017-11-28 00:40:22 -0500]      [13251] Requesting script ... Done
    [2017-11-28 00:40:22 -0500]      [13251] Auto Repair is running...Running Auto Repair routines
    [2017-11-28 00:40:22 -0500]      [13251] Running autorepair on exim_disable_chunking
    [2017-11-28 00:40:24 -0500]      [13251] Configuration file passes test!  New configuration file was installed.
     
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,545
    Likes Received:
    44
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    It ran on mine too and I have auto updates disabled.

    But luckily this update did not break anything, although I did get several notices from all of our servers this morning telling me that the Exim configuration had changed (customized monitoring system). That's really the only way I knew this had run, although I did see this thread yesterday and was watching it.

    I'm not necessarily complaining about this particular autofix running - but I just don't know if that was the best thing to do. Makes me wonder, what else can cPanel change on my servers without me knowing about it?
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,997
    Likes Received:
    339
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can look through your update log to see all scripts that run during the nightly cron job:
    Of course you'd have to look at those scripts that ran to see exactly what they're doing.
     
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,545
    Likes Received:
    44
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Meh.. you could, and I might have to write something to keep tabs on that, so I can at least be notified - "Guess what ran last night that may have borked your server"

    Probably a better solution would be for the upcp cron to send a notification message to the server administrator about these if auto updates is disabled. Or maybe I'm just assuming too much, that if you have auto updates disabled, then you are actively checking your emails and the cPanel forums.

    I'm really getting this thread off topic.
     
    Archmactrix likes this.
  11. cPanelJackson

    cPanelJackson Product Owner - cPanel Security Team
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    31
    Likes Received:
    9
    Trophy Points:
    133
    cPanel Access Level:
    Root Administrator
  12. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    578
    Likes Received:
    177
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Sorry to be a pain, but no-one has answered the question about the exim_disable_chunking issue, and if we need to run the autofixer script (if it still exists and still works), or edit or revert to the chunking_advertise_hosts="" setting ?
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,997
    Likes Received:
    339
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I believe this is answered here:
    SOLVED - Critical Exim Security Vulnerability

     
    rpvw likes this.
  14. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    578
    Likes Received:
    177
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Darn I missed that....if you hadn't stolen my glasses I might have seen it :(

    Thanks Infopro - one less thing to worry about !

    I am somewhat surprised why the Exim configuration still has chunking_advertise_hosts = 198.51.100.1 and hosts_try_chunking = 198.51.100.1 for remote_smpt and dkim_remote_smtp if Exim 4.89-3 does not offer chunking support.
     
    #14 rpvw, Jan 24, 2018
    Last edited: Jan 24, 2018
    Infopro likes this.
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,455
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @rpvw,

    To clarify, cPanel versions 60 and earlier were noted as unaffected because an older version of Exim was utilized with those versions (e.g. Exim 4.87) and chunking support was not enabled. The newer versions of Exim included with supported cPanel versions did offer chunking support, so the autofixer was published to disable chunking (along with the backported CVEs). Since that time, the autofixer is no longer required because we've published Exim version 4.89.1 which includes bug fixes that address the vulnerability:

    Code:
    # rpm -q --changelog exim
    - New upstream release exim-4.89.1-1.cp1162
    
    Thank you.
     
    rpvw and Infopro like this.
Loading...

Share This Page