The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Remote code execution flaw in exim <=4.80

Discussion in 'Security' started by jerrybell, Oct 26, 2012.

  1. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Exim has been updated to fix a remote code execution flaw. Here is the announcement: https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html

    No details on whether it's being actively exploited.

    I would recommend disabling dkim in the exim configuration editor until 4.82 is pushed to your servers. RCE is nothing to mess around with.
     
    #1 jerrybell, Oct 26, 2012
    Last edited: Oct 26, 2012
  2. eperdeme

    eperdeme Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Manchester, UK
    cPanel Access Level:
    DataCenter Provider
    We have updated our exim estate which runs Debian to fix this exploit.

    Seeing as Debian pushed it out so rapid(normally they take ages) we need cPanel to be following shortly.
     
  3. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    By default in 11.32 and 11.34 we add

    warn control = dkim_disable_verify

    to exim.conf so this shouldn't be a problem. New rpms are being testing and will be forthcoming shortly.

    Just make this this option is disabled in the Basic Exim Editor inside of WHM:
    Screen Shot 2012-10-26 at 11.34.08 AM.png
     
  4. chposter

    chposter Active Member

    Joined:
    May 9, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    8
    So, 11.30 LTS version is not affected, right? (exim-4.69-30)
     
  5. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    11.30 did not have DKIM support so it should not be affected.
     
  6. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Why you wrote "SHOULD" ? How we can be sure that we are on the safe side with exim-4.69-30?
     
    #6 nospa, Oct 26, 2012
    Last edited: Oct 26, 2012
  7. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Some people have installed custom exim rpms which may support DKIM in 11.30. There are a few third party howtos floating around like : http://www.thecpaneladmin.com/using-dkim-with-exim-and-cpanel/
     
  8. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Is Exim-4.69-30 from cPanel - not installed as custom but installed by default with cPanel - not affected? I read that there were experimental add for DKIM in 4.69, but I'm unsure if cPanel implemented this in default install. Article you've provided describes how to install DKIM with 4.70.
     
  9. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    4.69-30 is not affected by this CVE.
     
  10. _aitor_

    _aitor_ Registered
    PartnerNOC

    Joined:
    Oct 26, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Hi Nick,

    Could you confirm me that on 11.32 (with no custom RPMs) disabling "Allow DKIM verification for incoming messages" option is enough to be secure?

    Thanks


     
  11. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    That should be sufficient. However, you should also update 11.32.5.13 or 11.34.0.6 as soon as they are published.

    Once you update, you can validate the new rpm is installed by running

    # rpm -q exim --changelog|grep CVE-2012-5671

    You should see '-Fixes CVE-2012-5671' returned (at least once)
     
  12. _aitor_

    _aitor_ Registered
    PartnerNOC

    Joined:
    Oct 26, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Thanks Nick.
     
  13. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Nick,

    I see the changelog says 11.32.5.13 is the latest version and that it resolves the CVE in question. But you mentioned 11.32.5.16. Is there going to be some additional update pushed related to this with a version update to 11.32.5.16, or was 11.32.5.16 simply a mistype on your part?

    Mike
     
  14. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Sorry, I just pasted in the latest internal version. The published version with the fix is .13. Sorry for the confusion.
     
  15. sodapopinski

    sodapopinski Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    79
    Likes Received:
    0
    Trophy Points:
    6
  16. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
  17. FleroviumUranus

    FleroviumUranus Registered

    Joined:
    Aug 28, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  18. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    4.80-XX is not the same as 4.80.1-XX
     
  19. d'argo

    d'argo Active Member

    Joined:
    Jul 4, 2012
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    The class of attack is known as a "heap-based buffer overflow"; your OS might be built with protections to mitigate against these attacks.

    we use grsecurity kernel. glad we did this because it stops buffer overflows. patching is important but its not proactive.
     
Loading...

Share This Page