Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0101 exim: Multiple vulnerabilities 7 May 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: exim Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-27216 CVE-2020-28026 CVE-2020-28025 CVE-2020-28024 CVE-2020-28023 CVE-2020-28022 CVE-2020-28021 CVE-2020-28020 CVE-2020-28019 CVE-2020-28018 CVE-2020-28017 CVE-2020-28016 CVE-2020-28015 CVE-2020-28014 CVE-2020-28013 CVE-2020-28012 CVE-2020-28011 CVE-2020-28010 CVE-2020-28009 CVE-2020-28008 CVE-2020-28007 Reference: ESB-2021.1562 ESB-2021.1520.2 ESB-2021.1512 Comment: Immediate patching is recommended as exploit code is expected to be developed and available in the short term. A combination of exploits may possibly be used to escalate to root. Due to the significant number of mailservers running exim, this provides incentive for the creation of exploit code. OVERVIEW Serious vulnerabilities allowing remote attackers to gain complete root privileges on systems running the Exim mail server [1] All versions of Exim previous to version 4.94.2 are now obsolete. The last 3.x release was 3.36. It is obsolete and should not be used. [1] IMPACT The following is an aggregate of information from various sources: CVE-2021-27216 Arbitrary file deletion Attack Vector: Local CVE-2020-28026 Line truncation and injection in spool_read_header() Attack Vector: Remote CVE-2020-28025 Heap out-of-bounds read in pdkim_finish_bodyhash() Attack Vector: Remote CVE-2020-28024 Heap buffer underflow in smtp_ungetc() Attack Vector: Remote CVE-2020-28023 Out-of-bounds read in smtp_setup_msg() Attack Vector: Remote CVE-2020-28022 Heap out-of-bounds read and write in extract_option() Attack Vector: Remote CVE-2020-28021 New-line injection into spool header file (Attack Vector: Remote) Attack Vector: Remote Priviledge Required: Low CVE-2020-28020 Integer overflow in receive_msg() Attack Vector: Remote Priviledge Required: None CVE-2020-28019 Failure to reset function pointer after BDAT error Attack Vector: Remote CVE-2020-28018 Use-after-free in tls-openssl.c Attack Vector: Remote Priviledge Required: None CVE-2020-28017 Integer overflow in receive_add_recipient() Attack Vector: Remote Priviledge Required: None CVE-2020-28016 Heap out-of-bounds write in parse_fix_phrase() Attack Vector: Local CVE-2020-28015 New-line injection into spool header file (Attack Vector: Local) Attack Vector: Local Priviledge Required: Low CVE-2020-28014 Arbitrary file creation and clobbering CVE-2020-28013 Heap buffer overflow in parse_fix_phrase() Attack Vector: Local CVE-2020-28012 Missing close-on-exec flag for privileged pipe Attack Vector: Local Priviledge Required: Low CVE-2020-28011 Heap buffer overflow in queue_run() Attack Vector: Local CVE-2020-28010 Heap out-of-bounds write in main() Attack Vector: Local CVE-2020-28009 Integer overflow in get_stdinput() Attack Vector: Local CVE-2020-28008 Assorted attacks in Exim's spool directory Attack Vector: Local Priviledge Required: High CVE-2020-28007 Link attack in Exim's log directory Attack Vector: Local Priviledge Required: High MITIGATION It is strongly recommended that all organisations running Exim update to 4.94.2 as soon as possible. It can be expected that easily available exploit code utilising these vulnerabilites to be developed and could be in wide spread use in the near future thereby increasing the urgency for updating. Up-to-date information can be found from exim [2] REFERENCES [1] Qualys Security Advisor: 21Nails: Multiple vulnerabilities in Exim https://www.qualys.com/2021/05/04/21nails/21nails.txt [2] Index of /static/doc/security/CVE-2020-qualys/ https://www.exim.org/static/doc/security/CVE-2020-qualys/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYJTSyONLKJtyKPYoAQhHKxAAmiRqqaeYcKgezZoaDlS7MnmwDopDfqMZ 2yEL7s9bHcK/A7W2WiZ70GIpSmJws1BDAPkvdzP5DC6nE0k9FLi2+c2HWuryj16p GxoJX6ZHiRvrIjmmNsX6DP/7gIshPODksPhefEjbd51RyFTlHlFzU8P20S6J3x8Y d/Z7ld0prICfBDY4UrgRVn5Kj/6T+G/vvhA/Gr0+nUxbSf/M+P+l76GDpz18dyUF AjcZfO0rmQ0Zpa6mldA3vFhHj4bEN9iWawm2GE/zcYJ8aaodV6VDUjILGN7qbiZs 4N+Dm/w8pz+SlIiLSSU7TdJJijylEL0//ZhGNLD3E4B5oIXL33bsCCmP+f26lCTY Unm0SJvfqCsh9jxEo4AbME2A3sHsJJVnB6/eg8Yyqgc4ZRUlAn0B6nLyOgP4K3Nm q14BzTBDX/Fg1dMwdWPKP34QXQ14Qeu3Nm6e+mo+JwF2dQwPw93GgkrFwdD8k/ks zdh/8JFb8V5PmNb0nFPKBCFUbUdwWD0ZVc59sWW/s8JTzdMvIdFD+sdSRL+swdpX oDSjMnAAOrCZHmDOH6qwdIL02eL3EAPKBhKefAWxF7IRHKK52rZk1xxc8jZesF6x 3EoqAVRV5yUJM+RbiFrwD/aGeuC7qciKjya2GkEmkHXodC1J2jt7aYAoge++pm2q ORGAnC5BmI4= =fQre -----END PGP SIGNATURE-----