Symptoms
Multiple vulnerabilities were recently announced for the Exim software. At this time, Exim has released a statement on the vulnerabilities as well as a patch for several of the reported vulnerabilities to their upstream packages.
Description
cPanel support was made aware of multiple Exim CVE announcements, and at this time our development team is working to get an update with these patches out as soon as possible.
More information about the specific vulnerabilities and the timeline of the reports can be found below, including information relating to how this affects the default Exim configuration for cPanel.
CVE-2023-42114 - https://www.zerodayinitiative.com/advisories/ZDI-23-1468/
This CVE was fully addressed with the Exim update to version 4.96.1-2
No versions of cPanel Exim are vulnerable to this by default unless the ‘SPA' auth driver is enabled.
CVE-2023-42115 - https://www.zerodayinitiative.com/advisories/ZDI-23-1469/
This CVE was fully addressed with the Exim update to version 4.96.1-2
No versions of cPanel Exim are vulnerable to this by default unless the ‘external’ auth driver is enabled.
CVE-2023-42116 - https://www.zerodayinitiative.com/advisories/ZDI-23-1470/
This CVE was fully addressed with the Exim update to version 4.96.1-2
No versions of cPanel Exim are vulnerable to this by default unless the ‘SPA' auth driver is enabled.
CVE-2023-42117 - https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
This CVE was fully addressed with the Exim update to version 4.96.2-1
CVE-2023-42118 - https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
A patch was put in place within the cpanel-libspf2-1.2.11-2 package that is intended to mitigate this vulnerability, however, we are still waiting on the ZeroDayInitative team to verify that this was the issue they reported to Exim.
CVE-2023-42119 - https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
This CVE was fully addressed with the Exim update to version 4.96.2-1
Workaround
All supported systems automatically apply the update within 24 hours of the patch being released. Clients can also apply the fix at the time of release by using the cPanel update tool instead of waiting for the automated update. These updates are available in or after the following cPanel versions.
-
110.0.13
-
114.0.8
-
116.0.1
This will cover all currently supported cPanel versions across each release tier, a breakdown of our release tiers and the current cPanel version on each respective tier (at the time of writing) will be below for reference:
edge:11.116.0.1
current:11.114.0.8
release:11.114.0.8
stable:11.114.0.8
lts:11.110.0.13
The patches can be verified on individual servers by querying the package manager itself for RPM-based Linux distributions or parsing the changelog for the cpanel-exim package for Ubuntu. This process will be different depending on if Ubuntu is used, or if AlmaLinux, RockyLinux, CloudLinux or CentOS is used. Both will be listed below by operating system:
Ubuntu:
zgrep -E "CVE-2023-4211[456789]" /usr/share/doc/cpanel-exim/changelog.Debian.gz
CloudLinux / AlmaLinux / RockyLinux / CentOS
rpm -q --changelog cpanel-exim | egrep "CVE-2023-4211[456789]"