-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2021.0101
                      exim: Multiple vulnerabilities
                                7 May 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          exim
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                  Root Compromise                 -- Existing Account      
                  Modify Arbitrary Files          -- Existing Account      
                  Denial of Service               -- Remote/Unauthenticated
                  Access Confidential Data        -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2021-27216 CVE-2020-28026 CVE-2020-28025
                  CVE-2020-28024 CVE-2020-28023 CVE-2020-28022
                  CVE-2020-28021 CVE-2020-28020 CVE-2020-28019
                  CVE-2020-28018 CVE-2020-28017 CVE-2020-28016
                  CVE-2020-28015 CVE-2020-28014 CVE-2020-28013
                  CVE-2020-28012 CVE-2020-28011 CVE-2020-28010
                  CVE-2020-28009 CVE-2020-28008 CVE-2020-28007
Reference:        ESB-2021.1562
                  ESB-2021.1520.2
                  ESB-2021.1512

Comment: Immediate patching is recommended as exploit code is expected to be 
         developed and available in the short term. A combination of exploits may
         possibly be used to escalate to root. Due to the significant number of 
         mailservers running exim, this provides incentive for the creation of 
         exploit code.

OVERVIEW

        Serious vulnerabilities allowing remote attackers to gain complete
        root privileges on systems running the Exim mail server [1]
        
        All versions of Exim previous to version 4.94.2 are now obsolete. The
        last 3.x release was 3.36. It is obsolete and should not be used. [1]


IMPACT

        The following is an aggregate of information from various sources:
        
        CVE-2021-27216
        Arbitrary file deletion
        Attack Vector: Local
        
        CVE-2020-28026
        Line truncation and injection in spool_read_header()
        Attack Vector: Remote
         
        CVE-2020-28025
        Heap out-of-bounds read in pdkim_finish_bodyhash()
        Attack Vector: Remote
        
        CVE-2020-28024
        Heap buffer underflow in smtp_ungetc()
        Attack Vector: Remote
        
        CVE-2020-28023
        Out-of-bounds read in smtp_setup_msg()
        Attack Vector: Remote
        
        CVE-2020-28022
        Heap out-of-bounds read and write in extract_option()
        Attack Vector: Remote
        
        CVE-2020-28021
        New-line injection into spool header file (Attack Vector: Remote)
        Attack Vector: Remote
        Priviledge Required: Low
          
        CVE-2020-28020
        Integer overflow in receive_msg()
        Attack Vector: Remote
        Priviledge Required: None
         
        CVE-2020-28019
        Failure to reset function pointer after BDAT error
        Attack Vector: Remote
         
        CVE-2020-28018
        Use-after-free in tls-openssl.c
        Attack Vector: Remote
        Priviledge Required: None
        
        CVE-2020-28017
        Integer overflow in receive_add_recipient()
        Attack Vector: Remote
        Priviledge Required: None
        
        CVE-2020-28016
        Heap out-of-bounds write in parse_fix_phrase()
        Attack Vector: Local
         
        CVE-2020-28015
        New-line injection into spool header file (Attack Vector: Local)
        Attack Vector: Local
        Priviledge Required: Low
        
        CVE-2020-28014
        Arbitrary file creation and clobbering
         
        CVE-2020-28013
        Heap buffer overflow in parse_fix_phrase()
        Attack Vector: Local
        
        CVE-2020-28012
        Missing close-on-exec flag for privileged pipe
        Attack Vector: Local
        Priviledge Required: Low
         
        CVE-2020-28011
        Heap buffer overflow in queue_run()
        Attack Vector: Local
         
        CVE-2020-28010
        Heap out-of-bounds write in main()
        Attack Vector: Local
        
        CVE-2020-28009
        Integer overflow in get_stdinput()
        Attack Vector: Local
        
        CVE-2020-28008
        Assorted attacks in Exim's spool directory
        Attack Vector: Local
        Priviledge Required: High
         
        CVE-2020-28007
        Link attack in Exim's log directory
        Attack Vector: Local 
        Priviledge Required: High


MITIGATION

        It is strongly recommended that all organisations running Exim update to
        4.94.2 as soon as possible.
        
        It can be expected that easily available exploit code
        utilising these vulnerabilites to be developed and could be
        in wide spread use in the near future thereby increasing the urgency 
        for updating.
        
        Up-to-date information can be found from exim [2]


REFERENCES

        [1] Qualys Security Advisor: 21Nails: Multiple vulnerabilities in Exim
            https://www.qualys.com/2021/05/04/21nails/21nails.txt

        [2] Index of /static/doc/security/CVE-2020-qualys/
            https://www.exim.org/static/doc/security/CVE-2020-qualys/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYJTSyONLKJtyKPYoAQhHKxAAmiRqqaeYcKgezZoaDlS7MnmwDopDfqMZ
2yEL7s9bHcK/A7W2WiZ70GIpSmJws1BDAPkvdzP5DC6nE0k9FLi2+c2HWuryj16p
GxoJX6ZHiRvrIjmmNsX6DP/7gIshPODksPhefEjbd51RyFTlHlFzU8P20S6J3x8Y
d/Z7ld0prICfBDY4UrgRVn5Kj/6T+G/vvhA/Gr0+nUxbSf/M+P+l76GDpz18dyUF
AjcZfO0rmQ0Zpa6mldA3vFhHj4bEN9iWawm2GE/zcYJ8aaodV6VDUjILGN7qbiZs
4N+Dm/w8pz+SlIiLSSU7TdJJijylEL0//ZhGNLD3E4B5oIXL33bsCCmP+f26lCTY
Unm0SJvfqCsh9jxEo4AbME2A3sHsJJVnB6/eg8Yyqgc4ZRUlAn0B6nLyOgP4K3Nm
q14BzTBDX/Fg1dMwdWPKP34QXQ14Qeu3Nm6e+mo+JwF2dQwPw93GgkrFwdD8k/ks
zdh/8JFb8V5PmNb0nFPKBCFUbUdwWD0ZVc59sWW/s8JTzdMvIdFD+sdSRL+swdpX
oDSjMnAAOrCZHmDOH6qwdIL02eL3EAPKBhKefAWxF7IRHKK52rZk1xxc8jZesF6x
3EoqAVRV5yUJM+RbiFrwD/aGeuC7qciKjya2GkEmkHXodC1J2jt7aYAoge++pm2q
ORGAnC5BmI4=
=fQre
-----END PGP SIGNATURE-----