6 Sep
2019
6 Sep
'19
3:12 p.m.
Another bad one for Exim:
http://exim.org/static/doc/security/CVE-2019-15846.txt
Please make sure you have updated/patched against this.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
6 Sep
6 Sep
4:38 p.m.
Thanks a LOT for this heads up! I really should get rid of exim.
Postfix has a way better track record on security.
On Fri, 6 Sep 2019 at 16:12, Andy Smith <andy(a)bitfolk.com> wrote:
Another bad one for Exim:
http://exim.org/static/doc/security/CVE-2019-15846.txt
Please make sure you have updated/patched against this.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
4:44 p.m.
Debian have a patched update
https://www.debian.org/security/2019/dsa-4517
On Fri, 6 Sep 2019 at 17:39, Adam Spiers <bitfolk(a)adamspiers.org> wrote:
Thanks a LOT for this heads up! I really should get
rid of exim.
Postfix has a way better track record on security.
On Fri, 6 Sep 2019 at 16:12, Andy Smith <andy(a)bitfolk.com> wrote:
Another bad one for Exim:
http://exim.org/static/doc/security/CVE-2019-15846.txt
Please make sure you have updated/patched against this.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
11 Sep
11 Sep
10:28 a.m.
All the security reports on this seem to say that it potentially gives
the attacker root access to a system.
Presumably if your exim is not running as root, then the most it can
give is access as your exim user?
John
--
Xronos Scheduler - https://xronos.uk/
All your school's schedule information in one place.
Timetable, activities, homework, public events - the lot
Live demo at https://schedulerdemo.xronos.uk/
11:15 a.m.
Hi John,
On Wed, Sep 11, 2019 at 11:28:27AM +0100, John Winters wrote:
Presumably if your exim is not running as root, then
the most it can give is
access as your exim user?
Are there setups where Exim doesn't run as root? Normally it runs as
root in order to do local delivery as the required user.
If you have no local delivery then my understanding is that you
aren't vulnerable to this bug, because it relies on writing bad data
into a file that a later delivery agent processes.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
11:25 a.m.
On Wed, 2019-09-11 at 11:15 +0000, Andy Smith wrote:
Hi John,
On Wed, Sep 11, 2019 at 11:28:27AM +0100, John Winters wrote:
Hi,
Hope I'm not hijacking - but it seems like a good point. In default
debian Exim doesn't run as root. For example: my exim (on debian) runs
as user Debian-exim.
ps axu|grep exim
Debian-+ 2231 0.0 0.0 33264 4156 ? Ss Sep08 2:06
/usr/sbin/exim4 -bd -q30m
Debian-+ 3277 0.0 0.0 33368 3680 ? S 12:20 0:00
/usr/sbin/exim4 -bd -q30m
It drops privileges once it opened the ports.
But to be fair, I don't want people executing code as user Debian-exim
either on my machine, thus I patched quickly.
Disclaimer: I switched to exim from sendmail & postfix 20 years ago,
forgive me please if I sound a bit biased by now...
Conrad
Presumably if your exim is not running as root,
then the most it
can give is
access as your exim user?
Are there setups where Exim doesn't run as root? Normally it runs as
root in order to do local delivery as the required user.
If you have no local delivery then my understanding is that you
aren't vulnerable to this bug, because it relies on writing bad data
into a file that a later delivery agent processes.
Cheers,
Andy
11:51 a.m.
Hello,
On Wed, Sep 11, 2019 at 12:25:52PM +0100, Conrad Wood wrote:
Hope I'm not hijacking - but it seems like a good
point. In default
debian Exim doesn't run as root. For example: my exim (on debian) runs
as user Debian-exim.
Yes, the part that accepts data from the Internet drops privileges
to Debian-exim as soon as it's opened the port.
But this exploit doesn't make that process do anything that it's not
expected to do. It writes bad data into a spool file which is later
processed by code that is running as root:
https://github.com/Exim/exim/blob/master/doc/doc-txt/cve-2019-15846/qualys.…
The Exim queue runner process runs as root the whole time it is
running, but that is only periodically. The Exim local delivery
process starts as root but once it's determined which user it needs
to deliver as it does fork a sub-process that drops privilege.
See "2. Root privilege"
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_consi…
As far as I am aware every Exim ever released that is configured to
do TLS and deliver locally is vulnerable to remote root compromise
by this bug.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
11:54 a.m.
On 11/09/2019 12:51, Andy Smith wrote:
[snip]
As far as I am aware every Exim ever released that is
configured to
do TLS and deliver locally is vulnerable to remote root compromise
by this bug.
Thank you - that's the exact question to which I was seeking an answer.
John
...not that I'm considering not upgrading or anything. I was just curious.
--
Xronos Scheduler - https://xronos.uk/
All your school's schedule information in one place.
Timetable, activities, homework, public events - the lot
Live demo at https://schedulerdemo.xronos.uk/
1:26 p.m.
On Wed, 2019-09-11 at 12:54 +0100, John Winters wrote:
On 11/09/2019 12:51, Andy Smith wrote:
[snip]
+1 - as always, Andy is totally on top of things. Thank you for sharing
these details!
I'll look into deliver_drop_privilege option.
Conrad
As far as I am aware every Exim ever released
that is configured to
do TLS and deliver locally is vulnerable to remote root compromise
by this bug.
Thank you - that's the exact question to which I was seeking an
answer.
John
...not that I'm considering not upgrading or anything. I was just
curious. 
7 Sep
7 Sep
8:03 a.m.
On 2019-09-06 15:12+0000, Andy Smith wrote:
Another bad one for Exim:
http://exim.org/static/doc/security/CVE-2019-15846.txt
Please make sure you have updated/patched against this.
Possibly related:
<https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/>
--
Ed
1928
days inactive
1933
days old
9 comments
6 participants
participants (6)
-
Adam Spiers -
Andy Smith -
Conrad Wood -
ed-bitfolk@s5h.net -
John Winters -
Keith Williams