Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Critical Exim Security Vulnerability

Discussion in 'E-mail Discussion' started by lorio, Nov 27, 2017.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    276
    Likes Received:
    9
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    276
    Likes Received:
    9
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    In a typical CPanel setup I find "setup chunking_advertise_hosts" set to one Test-IP
    cPanel Default: 198.51.100.1

    So the impact would be limited on connections via this IP (real or spoofed)?
    Wonder why CPanel did add just that IP instead keep the value empty.

    Hopefully I haven't overlooked any thread about this issue here on the forum.
    Seemed be already discussed on different boards over the weekend.
    Critical Exim Security Vulnerability: disable chunking | Web Hosting Talk
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,700
    Likes Received:
    1,791
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This vulnerability relies on support for chunking, which is already disabled by default in cPanel versions 62 and newer. Here's the output you should see when confirming that it's disabled:

    Code:
    # grep chunking /etc/exim*
    /etc/exim.conf:chunking_advertise_hosts = 198.51.100.1
    /etc/exim.conf:  hosts_try_chunking = 198.51.100.1
    /etc/exim.conf:  hosts_try_chunking = 198.51.100.1
    Note that 198.51.100.1 is part of a reserved internal IP address block and thus should never be used as part of a live network configuration. It's purpose is documented at:

    RFC 5737 - IPv4 Address Blocks Reserved for Documentation

    That said, we'll be publishing an autofixer (internal case CPANEL-17092) to further ensure chunking is completely disabled (as opposed to only allowing it for the above mentioned internal IP address block). I'll update this thread again with more information on the status of that case as it becomes available.

    Note that cPanel version 60 is unaffected due to the use of Exim version 4.87 (this version doesn't offer chunking support).

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    linux4me2 likes this.
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,700
    Likes Received:
    1,791
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, we've published an autofixer that ensures chunking support is disabled in Exim. Autofixers run automatically as part of the nightly cPanel update cron job. After the autofixer is ran, the command referenced in the previous response will show the following output:

    Code:
    # grep chunking /etc/exim*
    /etc/exim.conf:chunking_advertise_hosts=""
    /etc/exim.conf:  hosts_try_chunking = 198.51.100.1
    /etc/exim.conf:  hosts_try_chunking = 198.51.100.1
    /etc/exim.conf.local:chunking_advertise_hosts=""
    If you need to manually run the autofixer, here's the command to use:

    Code:
    /scripts/autorepair exim_disable_chunking
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    668
    Likes Received:
    222
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The autofixer ran perfectly, and changed the chunking settings exactly as indicated above.

    Another great job from cPanel devs :cool:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Infopro likes this.
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,656
    Likes Received:
    75
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Perhaps a bit off-topic here...

    Is the autofixer suppose to run if you have automatic updates disabled? At either rate, it did run.

    I'd kind of prefer to be able to review changes before cPanel starts making changes to configuration options on our servers. Not that this particular fixed caused any adverse affects.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    It seems it is. Checking a server log with updates disabled I see it:
    Code:
    [2017-11-28 00:40:22 -0500]    - Processing command `/usr/local/cpanel/scripts/autorepair autorepair`
    [2017-11-28 00:40:22 -0500]      [13251] Requesting script ... Done
    [2017-11-28 00:40:22 -0500]      [13251] Auto Repair is running...Running Auto Repair routines
    [2017-11-28 00:40:22 -0500]      [13251] Running autorepair on exim_disable_chunking
    [2017-11-28 00:40:24 -0500]      [13251] Configuration file passes test!  New configuration file was installed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,656
    Likes Received:
    75
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    It ran on mine too and I have auto updates disabled.

    But luckily this update did not break anything, although I did get several notices from all of our servers this morning telling me that the Exim configuration had changed (customized monitoring system). That's really the only way I knew this had run, although I did see this thread yesterday and was watching it.

    I'm not necessarily complaining about this particular autofix running - but I just don't know if that was the best thing to do. Makes me wonder, what else can cPanel change on my servers without me knowing about it?
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can look through your update log to see all scripts that run during the nightly cron job:
    Of course you'd have to look at those scripts that ran to see exactly what they're doing.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,656
    Likes Received:
    75
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Meh.. you could, and I might have to write something to keep tabs on that, so I can at least be notified - "Guess what ran last night that may have borked your server"

    Probably a better solution would be for the upcp cron to send a notification message to the server administrator about these if auto updates is disabled. Or maybe I'm just assuming too much, that if you have auto updates disabled, then you are actively checking your emails and the cPanel forums.

    I'm really getting this thread off topic.
     
    Archmactrix likes this.
  11. cPanelJackson

    cPanelJackson Release Manager
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    36
    Likes Received:
    11
    Trophy Points:
    133
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    668
    Likes Received:
    222
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Sorry to be a pain, but no-one has answered the question about the exim_disable_chunking issue, and if we need to run the autofixer script (if it still exists and still works), or edit or revert to the chunking_advertise_hosts="" setting ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I believe this is answered here:
    SOLVED - Critical Exim Security Vulnerability

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    rpvw likes this.
  14. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    668
    Likes Received:
    222
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Darn I missed that....if you hadn't stolen my glasses I might have seen it :(

    Thanks Infopro - one less thing to worry about !

    I am somewhat surprised why the Exim configuration still has chunking_advertise_hosts = 198.51.100.1 and hosts_try_chunking = 198.51.100.1 for remote_smpt and dkim_remote_smtp if Exim 4.89-3 does not offer chunking support.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #14 rpvw, Jan 24, 2018
    Last edited: Jan 24, 2018
    Infopro likes this.
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,700
    Likes Received:
    1,791
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @rpvw,

    To clarify, cPanel versions 60 and earlier were noted as unaffected because an older version of Exim was utilized with those versions (e.g. Exim 4.87) and chunking support was not enabled. The newer versions of Exim included with supported cPanel versions did offer chunking support, so the autofixer was published to disable chunking (along with the backported CVEs). Since that time, the autofixer is no longer required because we've published Exim version 4.89.1 which includes bug fixes that address the vulnerability:

    Code:
    # rpm -q --changelog exim
    - New upstream release exim-4.89.1-1.cp1162
    
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    rpvw and Infopro like this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice