cve-2023-51766 - Exim Mail Server Simple Mail Transfer Protocol (SMTP) Smuggling Vulnerability
AnsweredExim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.
Does cPanel plan a fix for this? I can't pass a security scan because of this..
-
Looking at the CVE-2023-51766 details and Exim's bug tracker and Exim's own details about it this is only a problem if CHUNKING and PIPELINING is enabled.
Looking at my current Exim configuration (in WHM's Exim Configuration Manager->Advanced Editor), I can see that the "chunking_advertised_hosts" is set to a single IP address "198.51.100.1" (which is a cPanel default IP address and is actually part of the "not routed" range for documentation purposes). I see no entry in my configuration for "pipelining_advertise_hosts" or "pipelining_connect_advertise_hosts" - however, whilst Exim's "smtp_enforce_sync" default setting is "true" - cPanel defaults to "false" to help improve main delivery: so pipelining may be enabled.
So - since chunking is only available to an IP address which cannot access the server (because it is not routable), my Exim 4.96.2 installation ( exim -bV ) which was release by Exim in October 2023 should be safe (see below). The "fixed" version of Exim - 4.97.1 - was only released on December 25 2023 (Christmas Day!).
I've actually just tried the "exploit test tool" from SEC Consult (available on Github) and out of the 7 tests - only 2 smuggle attempts ('\n.\n' and '\n.\r\n') were successful - so not too bad and hopefully cPanel will update shortly.
0 -
Hey there! This is fixed in all versions of 118 and is part of the next release, 116.0.11.
0 -
what about the people who are still on 110?
0 -
There is a backport request to 110 on the case, but I don't see that it has been applied to a specific version just yet.
0 -
Following this thread and anxiously looking forward to a backported update for v110 users.
0 -
110.0.21 will be the version, so it will be the next release :D
0 -
Awesome, thanks for the update! :D
0 -
Sure thing!
0 -
cPRex after reviewing this thread, I updated to 116.0.11, however exim has not updated past 4.96.2-2.cp108~el8. How do we get to 4.97.1 so we can pass our PCI scans?
0 -
Lanbo - you don't - we make our own Exim version. You'll likely need to show them the output of "rpm -q --changelog exim" in order to show them your system is patched.
If there is a specific CVE you are worried about you can run this command to search for that, such as the CVE listed earlier in this thread:
# rpm -q --changelog cpanel-exim | grep 51766
- CPANEL-43706: Apply upstream patches for CVE-2023-517661 -
Thank you cPRex that will solve my problem and I thought this was the case. But the link below says to use "exim" to check for backported CVEs, so I was using that instead of "cpanel-exim"
https://docs.cpanel.net/knowledge-base/security/pci-compliance-and-software-versions/
0 -
I'll get that docs page updated with the correct details!
1 -
I just wanted to confirm I did create a case with our documentation team so that page should get updated to say "cpanel-exim" soon!
0 -
This seems to have been fixed last night, thanks, although the fix is dated to last December:
$ rpm -q --changelog cpanel-exim
* Wed Dec 27 2023 Rishwanth Yeddula <rish@cpanel.net> 4.96.2-2.cp108~el7
- CPANEL-43706: Apply upstream patches for CVE-2023-517660 -
Flyer - It's quite common for large software distributors to coordinate the release of security fixes to prevent knowledge of the vulnerability becoming "common knowledge" before all the other distributors are ready with their patches. Exim probably released the fix a few days after the CVE was sent to them, but then they sent the fix to cPanel, RedHat, Ubuntu etc etc who then all had to QA the patch, check compatibility etc etc before pushing it out to their customers. If somebody had "jumped the gun" then everybody else would have to rush their processes which may cause bigger issues (such as - and this is just a made up example - the patch not working when Unicode strings are passed in the LTR language: forcing the entire patch development+QA process to have to start again)
0 -
With the EOL deadline for CentOS 7 fast approaching, and unable to upgrade my Azure VM in situ, I've transferred everything to another VM running Ubuntu 22.04 LTS. It is failing a PCI scan due to this issue, but I can't find out if Exim has the required patch.
$ sudo apt-get changelog cpanel-exim
E: Failed to fetch changelog:/cpanel-exim.changelog
Changelog unavailable for cpanel-exim=4.96.2-2.cp108~u22Anyone know?
0 -
Flyer - this has been fixed in all cPanel versions for some time now.
If it is a new installation there may not be any changelog data for the package. You can always manually check the data in /usr/share/doc/cpanel-exim for specific package data if it isn't showing up in the changelog.
0 -
cPRex - that file confirms that the fix has been applied, thanks.
cpanel-exim (4.96.2-2.cp108~u22) unstable; urgency=low
* CPANEL-43706: Apply upstream patches for CVE-2023-51766
-- Rishwanth Yeddula <rish@cpanel.net> Wed, 27 Dec 2023 00:00:00 +01000 -
You're welcome!
0
Please sign in to leave a comment.
Comments
19 comments