Skip to main content

cve-2023-51766 - Exim Mail Server Simple Mail Transfer Protocol (SMTP) Smuggling Vulnerability

Answered

Comments

19 comments

  • rbairwell

    Looking at the CVE-2023-51766 details and Exim's bug tracker and Exim's own details about it this is only a problem if CHUNKING and PIPELINING is enabled.

    Looking at my current Exim configuration (in WHM's Exim Configuration Manager->Advanced Editor), I can see that the "chunking_advertised_hosts" is set to a single IP address "198.51.100.1" (which is a cPanel default IP address and is actually part of the "not routed" range for documentation purposes). I see no entry in my configuration for "pipelining_advertise_hosts" or "pipelining_connect_advertise_hosts" - however, whilst Exim's "smtp_enforce_sync" default setting is "true" - cPanel defaults to "false" to help improve main delivery: so pipelining may be enabled.

    So - since chunking is only available to an IP address which cannot access the server (because it is not routable), my Exim 4.96.2 installation ( exim -bV ) which was release by Exim in October 2023 should be safe (see below). The "fixed" version of Exim - 4.97.1 - was only released on December 25 2023 (Christmas Day!).

    I've actually just tried the "exploit test tool" from SEC Consult (available on Github) and out of the 7 tests - only 2 smuggle attempts ('\n.\n' and '\n.\r\n') were successful - so not too bad and hopefully cPanel will update shortly.

    0
  • cPRex Jurassic Moderator

    Hey there!  This is fixed in all versions of 118 and is part of the next release, 116.0.11.

    0
  • Curious Too

    what about the people who are still on 110?

    0
  • cPRex Jurassic Moderator

    There is a backport request to 110 on the case, but I don't see that it has been applied to a specific version just yet.

    0
  • Jeff

    Following this thread and anxiously looking forward to a backported update for v110 users.

    0
  • cPRex Jurassic Moderator

    110.0.21 will be the version, so it will be the next release :D

    0
  • Jeff

    Awesome, thanks for the update! :D

    0
  • cPRex Jurassic Moderator

    Sure thing!

    0
  • Lanbo

    cPRex after reviewing this thread, I updated to 116.0.11, however exim has not updated past 4.96.2-2.cp108~el8. How do we get to 4.97.1 so we can pass our PCI scans?

    0
  • cPRex Jurassic Moderator

    Lanbo - you don't - we make our own Exim version.  You'll likely need to show them the output of "rpm -q --changelog exim" in order to show them your system is patched.

    If there is a specific CVE you are worried about you can run this command to search for that, such as the CVE listed earlier in this thread:

    # rpm -q --changelog cpanel-exim | grep 51766
    - CPANEL-43706: Apply upstream patches for CVE-2023-51766

     

    1
  • Lanbo

    Thank you cPRex that will solve my problem and I thought this was the case. But the link below says to use "exim" to check for backported CVEs, so I was using that instead of "cpanel-exim"

    https://docs.cpanel.net/knowledge-base/security/pci-compliance-and-software-versions/

    0
  • cPRex Jurassic Moderator

    I'll get that docs page updated with the correct details!

    1
  • cPRex Jurassic Moderator

    I just wanted to confirm I did create a case with our documentation team so that page should get updated to say "cpanel-exim" soon!

    0
  • Flyer

    This seems to have been fixed last night, thanks, although the fix is dated to last December:

    $ rpm -q --changelog cpanel-exim
    * Wed Dec 27 2023 Rishwanth Yeddula <rish@cpanel.net> 4.96.2-2.cp108~el7
    - CPANEL-43706: Apply upstream patches for CVE-2023-51766

    0
  • rbairwell

    Flyer  - It's quite common for large software distributors to coordinate the release of security fixes to prevent knowledge of the vulnerability becoming "common knowledge" before all the other distributors are ready with their patches. Exim probably released the fix a few days after the CVE was sent to them, but then they sent the fix to cPanel, RedHat, Ubuntu etc etc who then all had to QA the patch, check compatibility etc etc before pushing it out to their customers. If somebody had "jumped the gun" then everybody else would have to rush their processes which may cause bigger issues (such as - and this is just a made up example - the patch not working when Unicode strings are passed in the LTR language: forcing the entire patch development+QA process to have to start again)

    0
  • Flyer

    With the EOL deadline for CentOS 7 fast approaching, and unable to upgrade my Azure VM in situ, I've transferred everything to another VM running Ubuntu 22.04 LTS.  It is failing a PCI scan due to this issue, but I can't find out if Exim has the required patch.

    $ sudo apt-get changelog cpanel-exim
    E: Failed to fetch changelog:/cpanel-exim.changelog
    Changelog unavailable for cpanel-exim=4.96.2-2.cp108~u22

    Anyone know?

    0
  • cPRex Jurassic Moderator

    Flyer - this has been fixed in all cPanel versions for some time now.

    If it is a new installation there may not be any changelog data for the package.  You can always manually check the data in /usr/share/doc/cpanel-exim for specific package data if it isn't showing up in the changelog.

    0
  • Flyer

    cPRex - that file confirms that the fix has been applied, thanks.

    cpanel-exim (4.96.2-2.cp108~u22) unstable; urgency=low

      * CPANEL-43706: Apply upstream patches for CVE-2023-51766

    -- Rishwanth Yeddula <rish@cpanel.net>  Wed, 27 Dec 2023 00:00:00 +0100

     

    0
  • cPRex Jurassic Moderator

    You're welcome!

    0

Please sign in to leave a comment.