Skip to main content

CVE-2023-42115 Exim - OOB RCE

Comments

22 comments

  • cPRex Jurassic Moderator
    Hey there! We're on it! More details can be found here:
    0
  • ethicalhost
    so looks like update is coming very soon Exim issues email server update, mitigations for 6 zero-day vulnerabilities | IT World Canada News how long before cpanel has it? J
    0
  • cPRex Jurassic Moderator
    I never give out ETAs, but these critical issues are a top priority. Once Exim releases it, we'll be on it.
    0
  • tom9909
    I never give out ETAs, but these critical issues are a top priority. Once Exim releases it, we'll be on it.

    I know this is a long shot, but is there a chance that the patch can be deployed to v110 when its released?
    0
  • jpants
    I know this is a long shot, but is there a chance that the patch can be deployed to v110 when its released?

    110 is current LTS release so it should receive the patch for sure.
    0
  • cPRex Jurassic Moderator
    The fixed versions will be 110.0.12, 114.0.7, and all versions of 116.
    0
  • ethicalhost
    when will it show for upcp to update (still showing .11 for LTS?
    0
  • ffeingol
    I never give out ETAs, but these critical issues are a top priority. Once Exim releases it, we'll be on it.

    0
  • ethicalhost
    sorry i thought your post meant it was ready
    0
  • jpants
    The patches are out now
    0
  • zhongshan
    Does this fix the SPF vulnerability? I'm asking this since I understand the SPF issues are in libspf2 which is used by Exim, so Exim has no control over that.
    0
  • SimpleSonic
    Does this fix the SPF vulnerability? I'm asking this since I understand the SPF issues are in libspf2 which is used by Exim, so Exim has no control over that.

    According to the change log for 114.0.7, libspf2 was updated, so I am going to assume that is a yes: [security] Fixed case CPANEL-43378: Update cpanel-libspf2 to 1.2.11-2.cp108.
    If @cPRex can confirm, that would be better though.
    0
  • cPRex Jurassic Moderator
    Nope, that's correct!
    0
  • cPRex Jurassic Moderator
    All the versions with the fixes have been released at this point!
    0
  • simz8
    right now we are running exim 4.96-8.cp108~el7 (cpanel v110.0.7). i can figure out that the patch is inside v110.0.12 version but according to
    0
  • cPRex Jurassic Moderator
    Your "this" link isn't working, so I can't see where that leads. I also don't think you're reading the version numbering of the package properly. 4.96-8 was released in January 2023, as outlined here:
    0
  • simz8
    Your "this" link isn't working, so I can't see where that leads. I also don't think you're reading the version numbering of the package properly. 4.96-8 was released in January 2023, as outlined here:
    Many thanks for your reply @cPRex . indeed my version 4.96-8 (included in cpanel v110.0.7) is earlier than 4.96.1-2. According to this article :
    0
  • quietFinn
    I think you misunderstood that sentence, it means that Exim is NOT vulnerable if the "SPA' auth driver is NOT enabled .
    0
  • simz8
    I think you misunderstood that sentence, it means that Exim is NOT vulnerable if the "SPA' auth driver is NOT enabled .

    yes exactly. i think that the default configuration for exim is that SPA auth driver is NOT enabled - so exim is NOT vulnerable by default. How can i confirm this for my installation. ?
    0
  • cPRex Jurassic Moderator
    You would have had to make manual customizations to Exim through the WHM >> Exim Configuration Manager >> Advanced, and then manually add some code in order for this to be present. If you don't recall doing that, which is unlikely for most users, it isn't going to be affected.
    0
  • simz8
    You would have had to make manual customizations to Exim through the WHM >> Exim Configuration Manager >> Advanced, and then manually add some code in order for this to be present. If you don't recall doing that, which is unlikely for most users, it isn't going to be affected.

    thanks @cPRex, so you confirm that exim is NOT vulnerable by default (meaning that SPA auth is not enabled) for CVEs CVE-2023-42114 and CVE-2023-42116 . CVE-2023-42115 mentions that external auth has to be enabled in order to be vulnerable. I assume that external auth also requires manual editing of exim configuration manager?
    0
  • cPRex Jurassic Moderator
    That's correct!
    0

Please sign in to leave a comment.