SOLVED Critical Exim Security Vulnerability

[lorio]

FYI. For discussion. Just found it. Let's find out what impact it has.
[exim-announce] Critical Exim Security Vulnerability: disable chunking
NVD - CVE-2017-16944

 

[lorio]

In a typical CPanel setup I find "setup chunking_advertise_hosts" set to one Test-IP
cPanel Default: 198.51.100.1

So the impact would be limited on connections via this IP (real or spoofed)?
Wonder why CPanel did add just that IP instead keep the value empty.

Hopefully I haven't overlooked any thread about this issue here on the forum.
Seemed be already discussed on different boards over the weekend.
Critical Exim Security Vulnerability: disable chunking | Web Hosting Talk

 

[cPanelMichael]

Hello,

This vulnerability relies on support for chunking, which is already disabled by default in cPanel versions 62 and newer. Here's the output you should see when confirming that it's disabled:

# grep chunking /etc/exim*
/etc/exim.conf:chunking_advertise_hosts = 198.51.100.1
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1

Note that 198.51.100.1 is part of a reserved internal IP address block and thus should never be used as part of a live network configuration. It's purpose is documented at:

RFC 5737 - IPv4 Address Blocks Reserved for Documentation

That said, we'll be publishing an autofixer (internal case CPANEL-17092) to further ensure chunking is completely disabled (as opposed to only allowing it for the above mentioned internal IP address block). I'll update this thread again with more information on the status of that case as it becomes available.

Note that cPanel version 60 is unaffected due to the use of Exim version 4.87 (this version doesn't offer chunking support).

Thank you.

 

[cPanelMichael]

Hello,

To update, we've published an autofixer that ensures chunking support is disabled in Exim. Autofixers run automatically as part of the nightly cPanel update cron job. After the autofixer is ran, the command referenced in the previous response will show the following output:

# grep chunking /etc/exim*
/etc/exim.conf:chunking_advertise_hosts=""
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
/etc/exim.conf:  hosts_try_chunking = 198.51.100.1
/etc/exim.conf.local:chunking_advertise_hosts=""

If you need to manually run the autofixer, here's the command to use:

/scripts/autorepair exim_disable_chunking

Thank you.

 

[rpvw]

The autofixer ran perfectly, and changed the chunking settings exactly as indicated above.

Another great job from cPanel devs

 

[sparek-3]

Perhaps a bit off-topic here...

Is the autofixer suppose to run if you have automatic updates disabled? At either rate, it did run.

I'd kind of prefer to be able to review changes before cPanel starts making changes to configuration options on our servers. Not that this particular fixed caused any adverse affects.

 

[Infopro]

Is the autofixer suppose to run if you have automatic updates disabled?

It seems it is. Checking a server log with updates disabled I see it:

[2017-11-28 00:40:22 -0500]    - Processing command `/usr/local/cpanel/scripts/autorepair autorepair`
[2017-11-28 00:40:22 -0500]      [13251] Requesting script ... Done
[2017-11-28 00:40:22 -0500]      [13251] Auto Repair is running...Running Auto Repair routines
[2017-11-28 00:40:22 -0500]      [13251] Running autorepair on exim_disable_chunking
[2017-11-28 00:40:24 -0500]      [13251] Configuration file passes test!  New configuration file was installed.

 

[sparek-3]

It ran on mine too and I have auto updates disabled.

But luckily this update did not break anything, although I did get several notices from all of our servers this morning telling me that the Exim configuration had changed (customized monitoring system). That's really the only way I knew this had run, although I did see this thread yesterday and was watching it.

I'm not necessarily complaining about this particular autofix running - but I just don't know if that was the best thing to do. Makes me wonder, what else can cPanel change on my servers without me knowing about it?

 

[Infopro]

You can look through your update log to see all scripts that run during the nightly cron job:

A log of this update is available at /var/cpanel/updatelogs/

Of course you'd have to look at those scripts that ran to see exactly what they're doing.

 

[sparek-3]

Meh.. you could, and I might have to write something to keep tabs on that, so I can at least be notified - "Guess what ran last night that may have borked your server"

Probably a better solution would be for the upcp cron to send a notification message to the server administrator about these if auto updates is disabled. Or maybe I'm just assuming too much, that if you have auto updates disabled, then you are actively checking your emails and the cPanel forums.

I'm really getting this thread off topic.

 

[cPanelJackson]

Hi everyone,

We have created a CKB article so you can track the progress of the patched builds, you can find it at the following link:
CVE-2017-16943 and CVE-2017-16944 Exim - cPanel Knowledge Base - cPanel Documentation

 

[rpvw]

Sorry to be a pain, but no-one has answered the question about the exim_disable_chunking issue, and if we need to run the autofixer script (if it still exists and still works), or edit or revert to the chunking_advertise_hosts="" setting ?

 

[Infopro]

I believe this is answered here:
SOLVED - Critical Exim Security Vulnerability

Note that cPanel version 60 is unaffected due to the use of Exim version 4.87 (this version doesn't offer chunking support).

 

[rpvw]

Darn I missed that....if you hadn't stolen my glasses I might have seen it

Thanks Infopro - one less thing to worry about !

I am somewhat surprised why the Exim configuration still has chunking_advertise_hosts = 198.51.100.1 and hosts_try_chunking = 198.51.100.1 for remote_smpt and dkim_remote_smtp if Exim 4.89-3 does not offer chunking support.

 

[cPanelMichael]

Hello @rpvw,

To clarify, cPanel versions 60 and earlier were noted as unaffected because an older version of Exim was utilized with those versions (e.g. Exim 4.87) and chunking support was not enabled. The newer versions of Exim included with supported cPanel versions did offer chunking support, so the autofixer was published to disable chunking (along with the backported CVEs). Since that time, the autofixer is no longer required because we've published Exim version 4.89.1 which includes bug fixes that address the vulnerability:

# rpm -q --changelog exim
- New upstream release exim-4.89.1-1.cp1162

Thank you.