{"openvas": [{"lastseen": "2019-09-10T14:48:13", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-09T00:00:00", "type": "openvas", "title": "Fedora Update for exim FEDORA-2019-467fcbb10a", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-10T00:00:00", "id": "OPENVAS:1361412562310876777", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876777", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876777\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-15846\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-09 02:22:55 +0000 (Mon, 09 Sep 2019)\");\n script_name(\"Fedora Update for exim FEDORA-2019-467fcbb10a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-467fcbb10a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FT3GY7V7SR2RHKNZNQCGXFWUSILVSZNU\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the FEDORA-2019-467fcbb10a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Exim is a message transfer agent (MTA) developed at the University of\nCambridge for use on Unix systems connected to the Internet. It is\nfreely available under the terms of the GNU General Public Licence. In\nstyle it is similar to Smail 3, but its facilities are more\ngeneral. There is a great deal of flexibility in the way mail can be\nrouted, and there are extensive facilities for checking incoming\nmail. Exim can be installed in place of sendmail, although the\nconfiguration of exim is quite different to that of sendmail.\");\n\n script_tag(name:\"affected\", value:\"'exim' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.92.2~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-10T14:49:43", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-09T00:00:00", "type": "openvas", "title": "Fedora Update for exim FEDORA-2019-ae361e20c2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-10T00:00:00", "id": "OPENVAS:1361412562310876782", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876782", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876782\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-15846\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-09 02:23:09 +0000 (Mon, 09 Sep 2019)\");\n script_name(\"Fedora Update for exim FEDORA-2019-ae361e20c2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-ae361e20c2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDF37AUNETIOXY6ZLQAUBGBVUTMMV242\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the FEDORA-2019-ae361e20c2 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Exim is a message transfer agent (MTA) developed at the University of\nCambridge for use on Unix systems connected to the Internet. It is\nfreely available under the terms of the GNU General Public Licence. In\nstyle it is similar to Smail 3, but its facilities are more\ngeneral. There is a great deal of flexibility in the way mail can be\nrouted, and there are extensive facilities for checking incoming\nmail. Exim can be installed in place of sendmail, although the\nconfiguration of exim is quite different to that of sendmail.\");\n\n script_tag(name:\"affected\", value:\"'exim' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.92.2~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-14T14:48:50", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for exim FEDORA-2019-1ed7bbb09c", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877151", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877151", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877151\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-15846\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:28:53 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for exim FEDORA-2019-1ed7bbb09c\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-1ed7bbb09c\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SBNHDAF74RI6VK2JVSEIE3VYNL7JJDYM\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the FEDORA-2019-1ed7bbb09c advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Exim is a message transfer agent (MTA) developed at the University of\nCambridge for use on Unix systems connected to the Internet. It is\nfreely available under the terms of the GNU General Public Licence. In\nstyle it is similar to Smail 3, but its facilities are more\ngeneral. There is a great deal of flexibility in the way mail can be\nrouted, and there are extensive facilities for checking incoming\nmail. Exim can be installed in place of sendmail, although the\nconfiguration of exim is quite different to that of sendmail.\");\n\n script_tag(name:\"affected\", value:\"'exim' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.92.2~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-10T14:51:48", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-07T00:00:00", "type": "openvas", "title": "Ubuntu Update for exim4 USN-4124-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-10T00:00:00", "id": "OPENVAS:1361412562310844166", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844166", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844166\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-15846\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:00:45 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Ubuntu Update for exim4 USN-4124-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU19\\.04|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4124-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-September/005102.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the USN-4124-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Exim incorrectly handled certain decoding\noperations. A remote attacker could possibly use this issue to execute\narbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"'exim4' package(s) on Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.90.1-1ubuntu1.4\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.90.1-1ubuntu1.4\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.04\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.92-4ubuntu1.3\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.92-4ubuntu1.3\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.86.2-2ubuntu2.5\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.86.2-2ubuntu2.5\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-09T14:54:31", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-07T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4517-1 (exim4 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-07T00:00:00", "id": "OPENVAS:1361412562310704517", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704517", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704517\");\n script_version(\"2019-09-07T02:00:05+0000\");\n script_cve_id(\"CVE-2019-15846\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-07 02:00:05 +0000 (Sat, 07 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:00:05 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Debian Security Advisory DSA 4517-1 (exim4 - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(10|9)\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4517.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4517-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the DSA-4517-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"'Zerons' and Qualys discovered that a buffer overflow triggerable in the\nTLS negotiation code of the Exim mail transport agent could result in the\nexecution of arbitrary code with root privileges.\");\n\n script_tag(name:\"affected\", value:\"'exim4' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), this problem has been fixed\nin version 4.89-2+deb9u6.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 4.92-8+deb10u2.\n\nWe recommend that you upgrade your exim4 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"exim4\", ver:\"4.92-8+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.92-8+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.92-8+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.92-8+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.92-8+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.92-8+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.92-8+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.89-2+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T16:48:12", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-09T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for exim (openSUSE-SU-2019:2093-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310852696", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852696", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852696\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-15846\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-09-09 02:00:34 +0000 (Mon, 09 Sep 2019)\");\n script_name(\"openSUSE: Security Advisory for exim (openSUSE-SU-2019:2093-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:2093-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00024.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the openSUSE-SU-2019:2093-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"exim was updated to fix a security issue:\n\n - CVE-2019-15846: Fixed a buffer overflow in SMTP Delivery process where a\n remote attacker could execute code with root privileges by sending\n crafted SNI data (boo#1149182).\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-2093=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-2093=1\");\n\n script_tag(name:\"affected\", value:\"'exim' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.88~lp150.3.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.88~lp150.3.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.88~lp150.3.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.88~lp150.3.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.88~lp150.3.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.88~lp150.3.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-30T14:47:13", "description": "Exim is prone to an remote code execution vulnerability.", "cvss3": {}, "published": "2019-09-06T00:00:00", "type": "openvas", "title": "Exim < 4.92.2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-06T00:00:00", "id": "OPENVAS:1361412562310142854", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142854", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:exim:exim\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142854\");\n script_version(\"2019-09-06T03:36:35+0000\");\n script_tag(name:\"last_modification\", value:\"2019-09-06 03:36:35 +0000 (Fri, 06 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-06 03:34:05 +0000 (Fri, 06 Sep 2019)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2019-15846\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Exim < 4.92.2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_exim_detect.nasl\");\n script_mandatory_keys(\"exim/installed\");\n\n script_tag(name:\"summary\", value:\"Exim is prone to an remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability is exploitable by sending a SNI ending in a\n backslash-null sequence during the initial TLS handshake. The exploit\n exists as a POC.\n\n For more details see doc/doc-txt/cve-2019-15846/ in the source code\n repository of Exim.\");\n\n script_tag(name:\"impact\", value:\"A local or remote attacker can execute programs with root privileges.\");\n\n script_tag(name:\"affected\", value:\"Exim version 4.92.1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.92.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://exim.org/static/doc/security/CVE-2019-15846.txt\");\n script_xref(name:\"URL\", value:\"https://www.openwall.com/lists/oss-security/2019/09/04/1\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"4.92.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.92.2\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T19:30:00", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-07T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for exim4 (DLA-1911-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891911", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891911", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891911\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-15846\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:00:20 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Debian LTS: Security Advisory for exim4 (DLA-1911-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/09/msg00004.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1911-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the DLA-1911-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"'Zerons' and Qualys discovered that a buffer overflow triggerable in the\nTLS negotiation code of the Exim mail transport agent could result in the\nexecution of arbitrary code with root privileges.\");\n\n script_tag(name:\"affected\", value:\"'exim4' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n4.84.2-2+deb8u6.\n\nWe recommend that you upgrade your exim4 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"exim4\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.84.2-2+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-04T18:36:31", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-10-04T00:00:00", "type": "openvas", "title": "Fedora Update for exim FEDORA-2019-006dfc94cd", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846", "CVE-2019-16928"], "modified": "2019-10-04T00:00:00", "id": "OPENVAS:1361412562310876867", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876867", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876867\");\n script_version(\"2019-10-04T07:25:00+0000\");\n script_cve_id(\"CVE-2019-16928\", \"CVE-2019-15846\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-04 07:25:00 +0000 (Fri, 04 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-10-04 02:28:15 +0000 (Fri, 04 Oct 2019)\");\n script_name(\"Fedora Update for exim FEDORA-2019-006dfc94cd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-006dfc94cd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the FEDORA-2019-006dfc94cd advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Exim is a message transfer agent (MTA) developed at the University of\nCambridge for use on Unix systems connected to the Internet. It is\nfreely available under the terms of the GNU General Public Licence. In\nstyle it is similar to Smail 3, but its facilities are more\ngeneral. There is a great deal of flexibility in the way mail can be\nrouted, and there are extensive facilities for checking incoming\nmail. Exim can be installed in place of sendmail, although the\nconfiguration of exim is quite different to that of sendmail.\");\n\n script_tag(name:\"affected\", value:\"'exim' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.92.3~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-11T18:36:27", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-10-10T00:00:00", "type": "openvas", "title": "Fedora Update for exim FEDORA-2019-d778bd4137", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846", "CVE-2019-16928"], "modified": "2019-10-11T00:00:00", "id": "OPENVAS:1361412562310876894", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876894", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876894\");\n script_version(\"2019-10-11T07:39:42+0000\");\n script_cve_id(\"CVE-2019-16928\", \"CVE-2019-15846\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-11 07:39:42 +0000 (Fri, 11 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-10-10 02:23:08 +0000 (Thu, 10 Oct 2019)\");\n script_name(\"Fedora Update for exim FEDORA-2019-d778bd4137\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-d778bd4137\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the FEDORA-2019-d778bd4137 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Exim is a message transfer agent (MTA) developed at the University of\nCambridge for use on Unix systems connected to the Internet. It is\nfreely available under the terms of the GNU General Public Licence. In\nstyle it is similar to Smail 3, but its facilities are more\ngeneral. There is a great deal of flexibility in the way mail can be\nrouted, and there are extensive facilities for checking incoming\nmail. Exim can be installed in place of sendmail, although the\nconfiguration of exim is quite different to that of sendmail.\");\n\n script_tag(name:\"affected\", value:\"'exim' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.92.3~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-03-24T21:51:04", "description": "Exim developers report :\n\nIf your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected.\n\nThe vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC. For more details see the document qualys.mbx", "cvss3": {}, "published": "2019-09-09T00:00:00", "type": "nessus", "title": "FreeBSD : Exim -- RCE with root privileges in TLS SNI handler (61db9b88-d091-11e9-8d41-97657151f8c2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-09T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:exim", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_61DB9B88D09111E98D4197657151F8C2.NASL", "href": "https://www.tenable.com/plugins/nessus/128585", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128585);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/09/09 9:28:06\");\n\n script_name(english:\"FreeBSD : Exim -- RCE with root privileges in TLS SNI handler (61db9b88-d091-11e9-8d41-97657151f8c2)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Exim developers report :\n\nIf your Exim server accepts TLS connections, it is vulnerable. This\ndoes not depend on the TLS libray, so both, GnuTLS and OpenSSL are\naffected.\n\nThe vulnerability is exploitable by sending a SNI ending in a\nbackslash-null sequence during the initial TLS handshake. The exploit\nexists as a POC. For more details see the document qualys.mbx\"\n );\n # https://git.exim.org/exim.git/blob_plain/2600301ba6dbac5c9d640c87007a07ee6dcea1f4:/doc/doc-txt/cve-2019-15846/cve.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8f464c6a\"\n );\n # https://vuxml.freebsd.org/freebsd/61db9b88-d091-11e9-8d41-97657151f8c2.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6e6cd0db\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.92.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-08T15:43:59", "description": "This is an update fixing CVE-2019-15846.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-09T00:00:00", "type": "nessus", "title": "Fedora 30 : exim (2019-467fcbb10a)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-12-31T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:exim", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-467FCBB10A.NASL", "href": "https://www.tenable.com/plugins/nessus/128566", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-467fcbb10a.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128566);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2019-15846\");\n script_xref(name:\"FEDORA\", value:\"2019-467fcbb10a\");\n\n script_name(english:\"Fedora 30 : exim (2019-467fcbb10a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing CVE-2019-15846.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-467fcbb10a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"exim-4.92.2-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T15:42:58", "description": "This is an update fixing CVE-2019-15846.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-09T00:00:00", "type": "nessus", "title": "Fedora 29 : exim (2019-ae361e20c2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-12-31T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:exim", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-AE361E20C2.NASL", "href": "https://www.tenable.com/plugins/nessus/128577", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-ae361e20c2.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128577);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2019-15846\");\n script_xref(name:\"FEDORA\", value:\"2019-ae361e20c2\");\n\n script_name(english:\"Fedora 29 : exim (2019-ae361e20c2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing CVE-2019-15846.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-ae361e20c2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"exim-4.92.2-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T15:43:31", "description": "exim was updated to fix a security issue :\n\n - CVE-2019-15846: Fixed a buffer overflow in SMTP Delivery process where a remote attacker could execute code with root privileges by sending crafted SNI data (boo#1149182).", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-09T00:00:00", "type": "nessus", "title": "openSUSE Security Update : exim (openSUSE-2019-2093)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2020-09-23T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim-debugsource", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "p-cpe:/a:novell:opensuse:eximstats-html", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2019-2093.NASL", "href": "https://www.tenable.com/plugins/nessus/128606", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2093.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128606);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/23\");\n\n script_cve_id(\"CVE-2019-15846\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2019-2093)\");\n script_summary(english:\"Check for the openSUSE-2019-2093 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"exim was updated to fix a security issue :\n\n - CVE-2019-15846: Fixed a buffer overflow in SMTP Delivery\n process where a remote attacker could execute code with\n root privileges by sending crafted SNI data\n (boo#1149182).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1149182\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"exim-4.88-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"exim-debuginfo-4.88-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"exim-debugsource-4.88-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"eximon-4.88-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"eximon-debuginfo-4.88-lp151.4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"eximstats-html-4.88-lp151.4.9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T15:47:09", "description": "This is an update fixing CVE-2019-15846.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-10-07T00:00:00", "type": "nessus", "title": "Fedora 31 : exim (2019-1ed7bbb09c)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-12-23T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:exim", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-1ED7BBB09C.NASL", "href": "https://www.tenable.com/plugins/nessus/129605", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-1ed7bbb09c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129605);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/23\");\n\n script_cve_id(\"CVE-2019-15846\");\n script_xref(name:\"FEDORA\", value:\"2019-1ed7bbb09c\");\n\n script_name(english:\"Fedora 31 : exim (2019-1ed7bbb09c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing CVE-2019-15846.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-1ed7bbb09c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"exim-4.92.2-1.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T15:44:26", "description": "Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.(CVE-2019-15846)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-10T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : exim (ALAS-2019-1277)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-12-31T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:exim", "p-cpe:/a:amazon:linux:exim-debuginfo", "p-cpe:/a:amazon:linux:exim-greylist", "p-cpe:/a:amazon:linux:exim-mon", "p-cpe:/a:amazon:linux:exim-mysql", "p-cpe:/a:amazon:linux:exim-pgsql", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2019-1277.NASL", "href": "https://www.tenable.com/plugins/nessus/128617", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1277.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128617);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2019-15846\");\n script_xref(name:\"ALAS\", value:\"2019-1277\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2019-1277)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Exim before 4.92.2 allows remote attackers to execute arbitrary code\nas root via a trailing backslash.(CVE-2019-15846)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2019-1277.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update exim' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"exim-4.92-1.24.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-debuginfo-4.92-1.24.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-greylist-4.92-1.24.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mon-4.92-1.24.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mysql-4.92-1.24.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-pgsql-4.92-1.24.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T15:43:30", "description": "It was discovered that Exim incorrectly handled certain decoding operations. A remote attacker could possibly use this issue to execute arbitrary commands.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-09T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : exim4 vulnerability (USN-4124-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-12-31T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.04"], "id": "UBUNTU_USN-4124-1.NASL", "href": "https://www.tenable.com/plugins/nessus/128614", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4124-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128614);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2019-15846\");\n script_xref(name:\"USN\", value:\"4124-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : exim4 vulnerability (USN-4124-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Exim incorrectly handled certain decoding\noperations. A remote attacker could possibly use this issue to execute\narbitrary commands.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4124-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected exim4-daemon-heavy and / or exim4-daemon-light\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|19\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04 / 19.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.86.2-2ubuntu2.5\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.86.2-2ubuntu2.5\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.90.1-1ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.90.1-1ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"19.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.92-4ubuntu1.3\")) flag++;\nif (ubuntu_check(osver:\"19.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.92-4ubuntu1.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim4-daemon-heavy / exim4-daemon-light\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T15:43:30", "description": "According to its banner, the version of Exim running on the remote host is prior to 4.92.2. It is, therefore, potentially affected by a remote code execution vulnerability allowing unauthenticated, remote attackers to execute arbitrary code as root via a trailing backslash.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-06T00:00:00", "type": "nessus", "title": "Exim < 4.92.2 ", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-10-17T00:00:00", "cpe": ["cpe:/a:exim:exim"], "id": "EXIM_4_92_2.NASL", "href": "https://www.tenable.com/plugins/nessus/128553", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128553);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/17 14:31:05\");\n\n script_cve_id(\"CVE-2019-15846\");\n\n script_name(english:\"Exim < 4.92.2 \");\n script_summary(english:\"Checks the version of the SMTP banner.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is potentially affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Exim running on the remote\nhost is prior to 4.92.2. It is, therefore, potentially affected by a\nremote code execution vulnerability allowing unauthenticated, remote \nattackers to execute arbitrary code as root via a trailing backslash.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://exim.org/static/doc/security/CVE-2019-15846.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Exim 4.92.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-15846\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/06\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:exim:exim\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nport = get_service(svc:\"smtp\", default:25, exit_on_fail:TRUE);\n\nbanner = get_smtp_banner(port:port);\nif (!banner) audit(AUDIT_NO_BANNER, port);\nif (\"Exim\" >!< banner) audit(AUDIT_NOT_LISTEN, 'Exim', port);\n\nmatches = pregmatch(pattern:\"220.*Exim ([0-9\\._]+)\", string:banner);\nif (isnull(matches)) audit(AUDIT_SERVICE_VER_FAIL, 'Exim', port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = matches[1];\n# Underscore was added to the vesion\nversion = ereg_replace(string:version, pattern:\"_\", replace:\".\");\n\nif (ver_compare(ver:version, fix:'4.92.2', strict:FALSE) < 0)\n{\n report =\n '\\n Banner : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 4.92.2';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, 'Exim', port, version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T15:42:33", "description": "'Zerons' and Qualys discovered that a buffer overflow triggerable in the TLS negotiation code of the Exim mail transport agent could result in the execution of arbitrary code with root privileges.\n\nFor Debian 8 'Jessie', this problem has been fixed in version 4.84.2-2+deb8u6.\n\nWe recommend that you upgrade your exim4 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-09T00:00:00", "type": "nessus", "title": "Debian DLA-1911-1 : exim4 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "p-cpe:/a:debian:debian_linux:exim4-base", "p-cpe:/a:debian:debian_linux:exim4-config", "p-cpe:/a:debian:debian_linux:exim4-daemon-heavy", "p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg", "p-cpe:/a:debian:debian_linux:exim4-daemon-light", "p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg", "p-cpe:/a:debian:debian_linux:exim4-dbg", "p-cpe:/a:debian:debian_linux:exim4-dev", "p-cpe:/a:debian:debian_linux:eximon4", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1911.NASL", "href": "https://www.tenable.com/plugins/nessus/128556", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1911-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128556);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2019-15846\");\n\n script_name(english:\"Debian DLA-1911-1 : exim4 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"'Zerons' and Qualys discovered that a buffer overflow triggerable in\nthe TLS negotiation code of the Exim mail transport agent could result\nin the execution of arbitrary code with root privileges.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n4.84.2-2+deb8u6.\n\nWe recommend that you upgrade your exim4 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/09/msg00004.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/exim4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eximon4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"exim4\", reference:\"4.84.2-2+deb8u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-base\", reference:\"4.84.2-2+deb8u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-config\", reference:\"4.84.2-2+deb8u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.84.2-2+deb8u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.84.2-2+deb8u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light\", reference:\"4.84.2-2+deb8u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.84.2-2+deb8u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dbg\", reference:\"4.84.2-2+deb8u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dev\", reference:\"4.84.2-2+deb8u6\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"eximon4\", reference:\"4.84.2-2+deb8u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T15:42:58", "description": "'Zerons' and Qualys discovered that a buffer overflow triggerable in the TLS negotiation code of the Exim mail transport agent could result in the execution of arbitrary code with root privileges.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-09T00:00:00", "type": "nessus", "title": "Debian DSA-4517-1 : exim4 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-12-31T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4517.NASL", "href": "https://www.tenable.com/plugins/nessus/128559", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4517. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128559);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2019-15846\");\n script_xref(name:\"DSA\", value:\"4517\");\n\n script_name(english:\"Debian DSA-4517-1 : exim4 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"'Zerons' and Qualys discovered that a buffer overflow triggerable in\nthe TLS negotiation code of the Exim mail transport agent could result\nin the execution of arbitrary code with root privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4517\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the exim4 packages.\n\nFor the oldstable distribution (stretch), this problem has been fixed\nin version 4.89-2+deb9u6.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 4.92-8+deb10u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"exim4\", reference:\"4.92-8+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-base\", reference:\"4.92-8+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-config\", reference:\"4.92-8+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.92-8+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-daemon-light\", reference:\"4.92-8+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-dev\", reference:\"4.92-8+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"eximon4\", reference:\"4.92-8+deb10u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4\", reference:\"4.89-2+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-base\", reference:\"4.89-2+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-config\", reference:\"4.89-2+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.89-2+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.89-2+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light\", reference:\"4.89-2+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.89-2+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dbg\", reference:\"4.89-2+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dev\", reference:\"4.89-2+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"eximon4\", reference:\"4.89-2+deb9u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:19:27", "description": "The remote host is running Exim, a message transfer agent.\n\nVersions of Exim earlier than 4.92.2 are affected by a vulnerability that is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-09T00:00:00", "type": "nessus", "title": "Exim < 4.92.2 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-09T00:00:00", "cpe": ["cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*"], "id": "701176.PRM", "href": "https://www.tenable.com/plugins/nnm/701176", "sourceData": "Binary data 701176.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T15:44:26", "description": "The remote host is affected by the vulnerability described in GLSA-201909-06 (Exim: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker, by connecting to the SMTP listener daemon, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-09T00:00:00", "type": "nessus", "title": "GLSA-201909-06 : Exim: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-13917", "CVE-2019-15846"], "modified": "2019-12-31T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:exim", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201909-06.NASL", "href": "https://www.tenable.com/plugins/nessus/128595", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201909-06.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128595);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2019-13917\", \"CVE-2019-15846\");\n script_xref(name:\"GLSA\", value:\"201909-06\");\n\n script_name(english:\"GLSA-201909-06 : Exim: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201909-06\n(Exim: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Exim. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker, by connecting to the SMTP listener daemon, could\n possibly execute arbitrary code with the privileges of the process or\n cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201909-06\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Exim users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.92.2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-mta/exim\", unaffected:make_list(\"ge 4.92.2\"), vulnerable:make_list(\"lt 4.92.2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Exim\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:58:18", "description": "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846 . There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.(CVE-2019-16928)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-10-28T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : exim (ALAS-2019-1310)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15846", "CVE-2019-16928"], "modified": "2022-03-09T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:exim", "p-cpe:/a:amazon:linux:exim-debuginfo", "p-cpe:/a:amazon:linux:exim-greylist", "p-cpe:/a:amazon:linux:exim-mon", "p-cpe:/a:amazon:linux:exim-mysql", "p-cpe:/a:amazon:linux:exim-pgsql", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2019-1310.NASL", "href": "https://www.tenable.com/plugins/nessus/130280", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1310.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130280);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/09\");\n\n script_cve_id(\"CVE-2019-16928\");\n script_xref(name:\"ALAS\", value:\"2019-1310\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2019-1310)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Exim 4.92 through 4.92.2 allows remote code execution, a different\nvulnerability than CVE-2019-15846 . There is a heap-based buffer\noverflow in string_vformat in string.c involving a long EHLO\ncommand.(CVE-2019-16928)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2019-1310.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Run 'yum update exim' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-16928\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"exim-4.92-1.25.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-debuginfo-4.92-1.25.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-greylist-4.92-1.25.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mon-4.92-1.25.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mysql-4.92-1.25.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-pgsql-4.92-1.25.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T15:00:14", "description": "This update for exim fixes the following issues :\n\nExim was updated to exim-4.94.2\n\nsecurity update (boo#1185631)\n\n - CVE-2020-28007: Link attack in Exim's log directory\n\n - CVE-2020-28008: Assorted attacks in Exim's spool directory\n\n - CVE-2020-28014: Arbitrary PID file creation\n\n - CVE-2020-28011: Heap buffer overflow in queue_run()\n\n - CVE-2020-28010: Heap out-of-bounds write in main()\n\n - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n\n - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n\n - CVE-2020-28015: New-line injection into spool header file (local)\n\n - CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n\n - CVE-2020-28009: Integer overflow in get_stdinput()\n\n - CVE-2020-28017: Integer overflow in receive_add_recipient()\n\n - CVE-2020-28020: Integer overflow in receive_msg()\n\n - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n\n - CVE-2020-28021: New-line injection into spool header file (remote)\n\n - CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n\n - CVE-2020-28026: Line truncation and injection in spool_read_header()\n\n - CVE-2020-28019: Failure to reset function pointer after BDAT error\n\n - CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n\n - CVE-2020-28018: Use-after-free in tls-openssl.c\n\n - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\nupdate to exim-4.94.1\n\n - Fix security issue in BDAT state confusion. Ensure we reset known-good where we know we need to not be reading BDAT data, as a general case fix, and move the places where we switch to BDAT mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n\n - Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n\n - Fix security issue with too many recipients on a message (to remove a known security problem if someone does set recipients_max to unlimited, or if local additions add to the recipient list). Fixes CVE-2020-RCPTL reported by Qualys.\n\n - Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()\n\n - Fix security issue CVE-2020-PFPSN and guard against cmdline invoker providing a particularly obnoxious sender full name.\n\n - Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n\n - Bug 1329: Fix format of Maildir-format filenames to match other mail- related applications. Previously an 'H' was used where available info says that 'M' should be, so change to match.\n\n - Bug 2587: Fix pam expansion condition. Tainted values are commonly used as arguments, so an implementation trying to copy these into a local buffer was taking a taint-enforcement trap. Fix by using dynamically created buffers.\n\n - Bug 2586: Fix listcount expansion operator. Using tainted arguments is reasonable, eg. to count headers.\n Fix by using dynamically created buffers rather than a local. Do similar fixes for ACL actions 'dcc', 'log_reject_target', 'malware' and 'spam'; the arguments are expanded so could be handling tainted values.\n\n - Bug 2590: Fix -bi (newaliases). A previous code rearrangement had broken the (no-op) support for this sendmail command. Restore it to doing nothing, silently, and returning good status.\n\n - update to exim 4.94\n\n - some transports now refuse to use tainted data in constructing their delivery location this WILL BREAK configurations which are not updated accordingly. In particular: any Transport use of $local_user which has been relying upon check_local_user far away in the Router to make it safe, should be updated to replace $local_user with $local_part_data.\n\n - Attempting to remove, in router or transport, a header name that ends with an asterisk (which is a standards-legal name) will now result in all headers named starting with the string before the asterisk being removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n\n - bring changes from current in +fixes branch (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee 94)\n\n - fixes CVE-2020-12783 (boo#1171490)\n\n - Regard command-line recipients as tainted.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition.\n\n - Use tainted buffers for the transport smtp context.\n\n - Bug 2493: Harden ARC verify against Outlook, which has been seen to mix the ordering of its ARC headers. This caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when needed. Previously when a new record was being constructed with information from the peer, a trap was taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform, hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before handling another message on a connection. Previously if one message had ARC headers and the following one did not, a crash could result when adding an Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string handling between the Exim main code and Exim-related utities.\n\n - Fix the variables set by the gsasl authenticator.\n\n - Bug 2507: Modules: on handling a dynamic-module (lookups) open failure, only retrieve the errormessage once.\n\n - Bug 2501: Fix init call in the heimdal authenticator.\n Previously it adjusted the size of a major service buffer; this failed because the buffer was in use at the time. Change to a compile-time increase in the buffer size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n\n - Avoid costly startup code when not strictly needed. This reduces time for some exim process initialisations. It does mean that the logging of TLS configuration problems is only done for the daemon startup.\n\n - Early-pipelining support code is now included unless disabled in Makefile.\n\n - DKIM verification defaults no long accept sha1 hashes, to conform to RFC 8301. They can still be enabled, using the dkim_verify_hashes main option.\n\n - Support CHUNKING from an smtp transport using a transport_filter, when DKIM signing is being done.\n Previously a transport_filter would always disable CHUNKING, falling back to traditional DATA.\n\n - Regard command-line receipients as tainted.\n\n - Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition. It seems that the PAM library frees one of the arguments given to it, despite the documentation. Therefore a plain malloc must be used.\n\n - Bug 2491: Use tainted buffers for the transport smtp context. Previously on-stack buffers were used, resulting in a taint trap when DSN information copied from a received message was written into the buffer.\n\n - Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix the ordering of its ARC headers. This caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when needed. Previously when a new record was being constructed with information from the peer, a trap was taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n Previously a naiive installation would get error messages from DMARC verify, when it hit the nonexistent file indicated by the default. Distros wanting DMARC enabled should both provide the file and set the option.\n Also enforce no DMARC verification for command-line sourced messages.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform, hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before handling another message on a connection. Previously if one message had ARC headers and the following one did not, a crash could result when adding an Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string handling between the Exim main code and Exim-related utities. The introduction of taint tracking also did many adjustments to string handling. Since then, eximon frequently terminated with an assert failure.\n\n - When PIPELINING, synch after every hundred or so RCPT commands sent and check for 452 responses. This slightly helps the inefficieny of doing a large alias-expansion into a recipient-limited target. The max_rcpt transport option still applies (and at the current default, will override the new feature). The check is done for either cause of synch, and forces a fast-retry of all 452'd recipients using a new MAIL FROM on the same connection.\n The new facility is not tunable at this time.\n\n - Fix the variables set by the gsasl authenticator.\n Previously a pointer to library live data was being used, so the results became garbage. Make copies while it is still usable.\n\n - Logging: when the deliver_time selector ise set, include the DT= field on delivery deferred (==) and failed (**) lines (if a delivery was attemtped). Previously it was only on completion (=>) lines.\n\n - Authentication: the gsasl driver not provides the $authN variables in time for the expansion of the server_scram_iter and server_scram_salt options.\n\nspec file cleanup to make update work\n\n - add docdir to spec\n\n - update to exim 4.93\n\n - SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n\n - DISABLE_TLS replaces SUPPORT_TLS\n\n - Bump the version for the local_scan API.\n\n - smtp transport option hosts_try_fastopen defaults to '*'.\n\n - DNSSec is requested (not required) for all queries.\n (This seemes to ask for trouble if your resolver is a systemd-resolved.)\n\n - Generic router option retry_use_local_part defaults to 'true' under specific pre-conditions.\n\n - Introduce a tainting mechanism for values read from untrusted sources.\n\n - Use longer file names for temporary spool files (this avoids name conflicts with spool on a shared file system).\n\n - Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n\n - CVE-2019-16928: fix against Heap-based buffer overflow in string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n\n - CVE-2019-15846: fix against remote attackers executing arbitrary code as root via a trailing backslash\n\n - update to exim 4.92.1\n\n - CVE-2019-13917: Fixed an issue with $(sort) expansion which could allow remote attackers to execute other programs with root privileges (boo#1142207)\n\n - spec file cleanup\n\n - fix DANE inclusion guard condition\n\n - re-enable i18n and remove misleading comment\n\n - EXPERIMENTAL_SPF is now SUPPORT_SPF\n\n - DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n\n - $(l_header:<name>) expansion\n\n - $(readsocket) now supports TLS\n\n - 'utf8_downconvert' option (if built with SUPPORT_I18N)\n\n - 'pipelining' log_selector\n\n - JSON variants for $(extract ) expansion\n\n - 'noutf8' debug option\n\n - TCP Fast Open support on MacOS\n\n - CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n\n - add workaround patch for compile time error on missing printf format annotation (gnu_printf.patch)\n\n - update to 4.91\n\n - DEFER rather than ERROR on redis cluster MOVED response.\n\n - Catch and remove uninitialized value warning in exiqsumm\n\n - Disallow '/' characters in queue names specified for the 'queue=' ACL modifier. This matches the restriction on the commandline.\n\n - Fix pgsql lookup for multiple result-tuples with a single column. Previously only the last row was returned.\n\n - Bug 2217: Tighten up the parsing of DKIM signature headers.\n\n - Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n\n - Fix issue with continued-connections when the DNS shifts unreliably.\n\n - Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.\n\n - The 'support for' informational output now, which built with Content Scanning support, has a line for the malware scanner interfaces compiled in. Interface can be individually included or not at build time.\n\n - The 'aveserver', 'kavdaemon' and 'mksd' interfaces are now not included by the template makefile 'src/EDITME'.\n The 'STREAM' support for an older ClamAV interface method is removed.\n\n - Bug 2223: Fix mysql lookup returns for the no-data case (when the number of rows affected is given instead).\n\n - The runtime Berkeley DB library version is now additionally output by 'exim -d -bV'. Previously only the compile-time version was shown.\n\n - Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating SMTP connection.\n\n - Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by routers.\n\n - Bug 2174: A timeout on connect for a callout was also erroneously seen as a timeout on read on a GnuTLS initiating connection, resulting in the initiating connection being dropped.\n\n - Relax results from ACL control request to enable cutthrough, in unsupported situations, from error to silently (except under debug) ignoring.\n\n - Fix Buffer overflow in base64d() (CVE-2018-6789)\n\n - Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free().\n\n - Fix broken Heimdal GSSAPI authenticator integration.\n\n - Bug 2113: Fix conversation closedown with the Avast malware scanner.\n\n - Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.\n\n - Speed up macro lookups during configuration file read, by skipping non- macro text after a replacement (previously it was only once per line) and by skipping builtin macros when searching for an uppercase lead character.\n\n - DANE support moved from Experimental to mainline. The Makefile control for the build is renamed.\n\n - Fix memory leak during multi-message connections using STARTTLS.\n\n - Bug 2236: When a DKIM verification result is overridden by ACL, DMARC reported the original. Fix to report (as far as possible) the ACL result replacing the original.\n\n - Fix memory leak during multi-message connections using STARTTLS under OpenSSL\n\n - Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n\n - Fix utf8_downconvert propagation through a redirect router.\n\n - Bug 2253: For logging delivery lines under PRDR, append the overall DATA response info to the (existing) per-recipient response info for the 'C=' log element.\n\n - Bug 2251: Fix ldap lookups that return a single attribute having zero- length value.\n\n - Support Avast multiline protocol, this allows passing flags to newer versions of the scanner.\n\n - Ensure that variables possibly set during message acceptance are marked dead before release of memory in the daemon loop.\n\n - Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such as a multi-recipient message from a mailinglist manager).\n\n - The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being replaced by the $(authresults ) expansion.\n\n - Bug 2257: Fix pipe transport to not use a socket-only syscall.\n\n - Set a handler for SIGTERM and call exit(3) if running as PID 1. This allows proper process termination in container environments.\n\n - Bug 2258: Fix spool_wireformat in combination with LMTP transport. Previously the 'final dot' had a newline after it; ensure it is CR,LF.\n\n - SPF: remove support for the 'spf' ACL condition outcome values 'err_temp' and 'err_perm', deprecated since 4.83 when the RFC-defined words ' temperror' and 'permerror' were introduced.\n\n - Re-introduce enforcement of no cutthrough delivery on transports having transport-filters or DKIM-signing.\n\n - Cutthrough: for a final-dot response timeout (and nonunderstood responses) in defer=pass mode supply a 450 to the initiator. Previously the message would be spooled.\n\n - DANE: add dane_require_tls_ciphers SMTP Transport option; if unset, tls_require_ciphers is used as before.\n\n - Malware Avast: Better match the Avast multiline protocol.\n\n - Fix reinitialisation of DKIM logging variable between messages.\n\n - Bug 2255: Revert the disable of the OpenSSL session caching.\n\n - Add util/renew-opendmarc-tlds.sh script for safe renewal of public suffix list.\n\n - DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form, since the IETF WG has not yet settled on that versus the original 'bare' representation.\n\n - Fix syslog logging for syslog_timestamp=no and log_selector +millisec. Previously the millisecond value corrupted the output. Fix also for syslog_pid=no and log_selector +pid, for which the pid corrupted the output.\n\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires. \n\n - update to 4.90.1\n\n - Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly during configuration. Wildcards are allowed and expanded.\n\n - Shorten the log line for daemon startup by collapsing adjacent sets of identical IP addresses on different listening ports. Will also affect 'exiwhat' output.\n\n - Tighten up the checking in isip4 (et al): dotted-quad components larger than 255 are no longer allowed.\n\n - Default openssl_options to include +no_ticket, to reduce load on peers. Disable the session-cache too, which might reduce our load. Since we currrectly use a new context for every connection, both as server and client, there is no benefit for these.\n\n - Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at <https://reproducible-builds.org/specs/source-date-epoch />.\n\n - Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously the check for any unsuccessful recipients did not notice the limit, and erroneously found still-pending ones.\n\n - Pipeline CHUNKING command and data together, on kernels that support MSG_MORE. Only in-clear (not on TLS connections).\n\n - Avoid using a temporary file during transport using dkim. Unless a transport-filter is involved we can buffer the headers in memory for creating the signature, and read the spool data file once for the signature and again for transmission.\n\n - Enable use of sendfile in Linux builds as default. It was disabled in 4.77 as the kernel support then wasn't solid, having issues in 64bit mode. Now, it's been long enough. Add support for FreeBSD also.\n\n - Add commandline_checks_require_admin option.\n\n - Do pipelining under TLS.\n\n - For the 'sock' variant of the malware scanner interface, accept an empty cmdline element to get the documented default one. Previously it was inaccessible.\n\n - Prevent repeated use of -p/-oMr\n\n - DKIM: enforce the DNS pubkey record 'h' permitted-hashes optional field, if present.\n\n - DKIM: when a message has multiple signatures matching an identity given in dkim_verify_signers, run the dkim acl once for each.\n\n - Support IDNA2008.\n\n - The path option on a pipe transport is now expanded before use\n\n - Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n\n - Several bug fixes\n\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "openSUSE Security Update : exim (openSUSE-2021-677) (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim-debugsource", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "p-cpe:/a:novell:opensuse:eximstats-html", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-677.NASL", "href": "https://www.tenable.com/plugins/nessus/149614", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-677.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149614);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2017-1000369\",\n \"CVE-2017-16943\",\n \"CVE-2017-16944\",\n \"CVE-2018-6789\",\n \"CVE-2019-10149\",\n \"CVE-2019-13917\",\n \"CVE-2019-15846\",\n \"CVE-2019-16928\",\n \"CVE-2020-12783\",\n \"CVE-2020-28007\",\n \"CVE-2020-28008\",\n \"CVE-2020-28009\",\n \"CVE-2020-28010\",\n \"CVE-2020-28011\",\n \"CVE-2020-28012\",\n \"CVE-2020-28013\",\n \"CVE-2020-28014\",\n \"CVE-2020-28015\",\n \"CVE-2020-28016\",\n \"CVE-2020-28017\",\n \"CVE-2020-28018\",\n \"CVE-2020-28019\",\n \"CVE-2020-28020\",\n \"CVE-2020-28021\",\n \"CVE-2020-28022\",\n \"CVE-2020-28023\",\n \"CVE-2020-28024\",\n \"CVE-2020-28025\",\n \"CVE-2020-28026\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2021-677) (Stack Clash)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for exim fixes the following issues :\n\nExim was updated to exim-4.94.2\n\nsecurity update (boo#1185631)\n\n - CVE-2020-28007: Link attack in Exim's log directory\n\n - CVE-2020-28008: Assorted attacks in Exim's spool\n directory\n\n - CVE-2020-28014: Arbitrary PID file creation\n\n - CVE-2020-28011: Heap buffer overflow in queue_run()\n\n - CVE-2020-28010: Heap out-of-bounds write in main()\n\n - CVE-2020-28013: Heap buffer overflow in\n parse_fix_phrase()\n\n - CVE-2020-28016: Heap out-of-bounds write in\n parse_fix_phrase()\n\n - CVE-2020-28015: New-line injection into spool header\n file (local)\n\n - CVE-2020-28012: Missing close-on-exec flag for\n privileged pipe\n\n - CVE-2020-28009: Integer overflow in get_stdinput()\n\n - CVE-2020-28017: Integer overflow in\n receive_add_recipient()\n\n - CVE-2020-28020: Integer overflow in receive_msg()\n\n - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n\n - CVE-2020-28021: New-line injection into spool header\n file (remote)\n\n - CVE-2020-28022: Heap out-of-bounds read and write in\n extract_option()\n\n - CVE-2020-28026: Line truncation and injection in\n spool_read_header()\n\n - CVE-2020-28019: Failure to reset function pointer after\n BDAT error\n\n - CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n\n - CVE-2020-28018: Use-after-free in tls-openssl.c\n\n - CVE-2020-28025: Heap out-of-bounds read in\n pdkim_finish_bodyhash()\n\nupdate to exim-4.94.1\n\n - Fix security issue in BDAT state confusion. Ensure we\n reset known-good where we know we need to not be reading\n BDAT data, as a general case fix, and move the places\n where we switch to BDAT mode until after various\n protocol state checks. Fixes CVE-2020-BDATA reported by\n Qualys.\n\n - Fix security issue in SMTP verb option parsing\n (CVE-2020-EXOPT)\n\n - Fix security issue with too many recipients on a message\n (to remove a known security problem if someone does set\n recipients_max to unlimited, or if local additions add\n to the recipient list). Fixes CVE-2020-RCPTL reported by\n Qualys.\n\n - Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n\n - Fix security issue CVE-2020-PFPSN and guard against\n cmdline invoker providing a particularly obnoxious\n sender full name.\n\n - Fix Linux security issue CVE-2020-SLCWD and guard\n against PATH_MAX better.\n\n - bring back missing exim_db.8 manual page (fixes\n boo#1173693)\n\n - bring in changes from current +fixes (lots of taint\n check fixes)\n\n - Bug 1329: Fix format of Maildir-format filenames to\n match other mail- related applications. Previously an\n 'H' was used where available info says that 'M' should\n be, so change to match.\n\n - Bug 2587: Fix pam expansion condition. Tainted values\n are commonly used as arguments, so an implementation\n trying to copy these into a local buffer was taking a\n taint-enforcement trap. Fix by using dynamically created\n buffers.\n\n - Bug 2586: Fix listcount expansion operator. Using\n tainted arguments is reasonable, eg. to count headers.\n Fix by using dynamically created buffers rather than a\n local. Do similar fixes for ACL actions 'dcc',\n 'log_reject_target', 'malware' and 'spam'; the arguments\n are expanded so could be handling tainted values.\n\n - Bug 2590: Fix -bi (newaliases). A previous code\n rearrangement had broken the (no-op) support for this\n sendmail command. Restore it to doing nothing, silently,\n and returning good status.\n\n - update to exim 4.94\n\n - some transports now refuse to use tainted data in\n constructing their delivery location this WILL BREAK\n configurations which are not updated accordingly. In\n particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the\n Router to make it safe, should be updated to replace\n $local_user with $local_part_data.\n\n - Attempting to remove, in router or transport, a header\n name that ends with an asterisk (which is a\n standards-legal name) will now result in all headers\n named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee\n 94)\n\n - fixes CVE-2020-12783 (boo#1171490)\n\n - Regard command-line recipients as tainted.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition.\n\n - Use tainted buffers for the transport smtp context.\n\n - Bug 2493: Harden ARC verify against Outlook, which has\n been seen to mix the ordering of its ARC headers. This\n caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when\n needed. Previously when a new record was being\n constructed with information from the peer, a trap was\n taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform,\n hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before\n handling another message on a connection. Previously if\n one message had ARC headers and the following one did\n not, a crash could result when adding an\n Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string\n handling between the Exim main code and Exim-related\n utities.\n\n - Fix the variables set by the gsasl authenticator.\n\n - Bug 2507: Modules: on handling a dynamic-module\n (lookups) open failure, only retrieve the errormessage\n once.\n\n - Bug 2501: Fix init call in the heimdal authenticator.\n Previously it adjusted the size of a major service\n buffer; this failed because the buffer was in use at the\n time. Change to a compile-time increase in the buffer\n size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n\n - Avoid costly startup code when not strictly needed. This\n reduces time for some exim process initialisations. It\n does mean that the logging of TLS configuration problems\n is only done for the daemon startup.\n\n - Early-pipelining support code is now included unless\n disabled in Makefile.\n\n - DKIM verification defaults no long accept sha1 hashes,\n to conform to RFC 8301. They can still be enabled, using\n the dkim_verify_hashes main option.\n\n - Support CHUNKING from an smtp transport using a\n transport_filter, when DKIM signing is being done.\n Previously a transport_filter would always disable\n CHUNKING, falling back to traditional DATA.\n\n - Regard command-line receipients as tainted.\n\n - Bug 340: Remove the daemon pid file on exit, whe due to\n SIGTERM.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition. It\n seems that the PAM library frees one of the arguments\n given to it, despite the documentation. Therefore a\n plain malloc must be used.\n\n - Bug 2491: Use tainted buffers for the transport smtp\n context. Previously on-stack buffers were used,\n resulting in a taint trap when DSN information copied\n from a received message was written into the buffer.\n\n - Bug 2493: Harden ARC verify against Outlook, whick has\n been seen to mix the ordering of its ARC headers. This\n caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when\n needed. Previously when a new record was being\n constructed with information from the peer, a trap was\n taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n Previously a naiive installation would get error\n messages from DMARC verify, when it hit the nonexistent\n file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option.\n Also enforce no DMARC verification for command-line\n sourced messages.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform,\n hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before\n handling another message on a connection. Previously if\n one message had ARC headers and the following one did\n not, a crash could result when adding an\n Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string\n handling between the Exim main code and Exim-related\n utities. The introduction of taint tracking also did\n many adjustments to string handling. Since then, eximon\n frequently terminated with an assert failure.\n\n - When PIPELINING, synch after every hundred or so RCPT\n commands sent and check for 452 responses. This slightly\n helps the inefficieny of doing a large alias-expansion\n into a recipient-limited target. The max_rcpt transport\n option still applies (and at the current default, will\n override the new feature). The check is done for either\n cause of synch, and forces a fast-retry of all 452'd\n recipients using a new MAIL FROM on the same connection.\n The new facility is not tunable at this time.\n\n - Fix the variables set by the gsasl authenticator.\n Previously a pointer to library live data was being\n used, so the results became garbage. Make copies while\n it is still usable.\n\n - Logging: when the deliver_time selector ise set, include\n the DT= field on delivery deferred (==) and failed (**)\n lines (if a delivery was attemtped). Previously it was\n only on completion (=>) lines.\n\n - Authentication: the gsasl driver not provides the $authN\n variables in time for the expansion of the\n server_scram_iter and server_scram_salt options.\n\nspec file cleanup to make update work\n\n - add docdir to spec\n\n - update to exim 4.93\n\n - SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n\n - DISABLE_TLS replaces SUPPORT_TLS\n\n - Bump the version for the local_scan API.\n\n - smtp transport option hosts_try_fastopen defaults to\n '*'.\n\n - DNSSec is requested (not required) for all queries.\n (This seemes to ask for trouble if your resolver is a\n systemd-resolved.)\n\n - Generic router option retry_use_local_part defaults to\n 'true' under specific pre-conditions.\n\n - Introduce a tainting mechanism for values read from\n untrusted sources.\n\n - Use longer file names for temporary spool files (this\n avoids name conflicts with spool on a shared file\n system).\n\n - Use dsn_from main config option (was ignored\n previously).\n\n - update to exim 4.92.3\n\n - CVE-2019-16928: fix against Heap-based buffer overflow\n in string_vformat, remote code execution seems to be\n possible\n\n - update to exim 4.92.2\n\n - CVE-2019-15846: fix against remote attackers executing\n arbitrary code as root via a trailing backslash\n\n - update to exim 4.92.1\n\n - CVE-2019-13917: Fixed an issue with $(sort) expansion\n which could allow remote attackers to execute other\n programs with root privileges (boo#1142207)\n\n - spec file cleanup\n\n - fix DANE inclusion guard condition\n\n - re-enable i18n and remove misleading comment\n\n - EXPERIMENTAL_SPF is now SUPPORT_SPF\n\n - DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n\n - $(l_header:<name>) expansion\n\n - $(readsocket) now supports TLS\n\n - 'utf8_downconvert' option (if built with SUPPORT_I18N)\n\n - 'pipelining' log_selector\n\n - JSON variants for $(extract ) expansion\n\n - 'noutf8' debug option\n\n - TCP Fast Open support on MacOS\n\n - CVE-2019-10149: Fixed a Remote Command Execution\n (boo#1136587)\n\n - add workaround patch for compile time error on missing\n printf format annotation (gnu_printf.patch)\n\n - update to 4.91\n\n - DEFER rather than ERROR on redis cluster MOVED response.\n\n - Catch and remove uninitialized value warning in exiqsumm\n\n - Disallow '/' characters in queue names specified for the\n 'queue=' ACL modifier. This matches the restriction on\n the commandline.\n\n - Fix pgsql lookup for multiple result-tuples with a\n single column. Previously only the last row was\n returned.\n\n - Bug 2217: Tighten up the parsing of DKIM signature\n headers.\n\n - Bug 2215: Fix crash associated with dnsdb lookup done\n from DKIM ACL.\n\n - Fix issue with continued-connections when the DNS shifts\n unreliably.\n\n - Bug 2214: Fix SMTP responses resulting from non-accept\n result of MIME ACL.\n\n - The 'support for' informational output now, which built\n with Content Scanning support, has a line for the\n malware scanner interfaces compiled in. Interface can be\n individually included or not at build time.\n\n - The 'aveserver', 'kavdaemon' and 'mksd' interfaces are\n now not included by the template makefile 'src/EDITME'.\n The 'STREAM' support for an older ClamAV interface\n method is removed.\n\n - Bug 2223: Fix mysql lookup returns for the no-data case\n (when the number of rows affected is given instead).\n\n - The runtime Berkeley DB library version is now\n additionally output by 'exim -d -bV'. Previously only\n the compile-time version was shown.\n\n - Bug 2230: Fix cutthrough routing for nonfirst messages\n in an initiating SMTP connection.\n\n - Bug 2229: Fix cutthrough routing for nonstandard port\n numbers defined by routers.\n\n - Bug 2174: A timeout on connect for a callout was also\n erroneously seen as a timeout on read on a GnuTLS\n initiating connection, resulting in the initiating\n connection being dropped.\n\n - Relax results from ACL control request to enable\n cutthrough, in unsupported situations, from error to\n silently (except under debug) ignoring.\n\n - Fix Buffer overflow in base64d() (CVE-2018-6789)\n\n - Fix bug in DKIM verify: a buffer overflow could corrupt\n the malloc metadata, resulting in a crash in free().\n\n - Fix broken Heimdal GSSAPI authenticator integration.\n\n - Bug 2113: Fix conversation closedown with the Avast\n malware scanner.\n\n - Bug 2239: Enforce non-usability of\n control=utf8_downconvert in the mail ACL.\n\n - Speed up macro lookups during configuration file read,\n by skipping non- macro text after a replacement\n (previously it was only once per line) and by skipping\n builtin macros when searching for an uppercase lead\n character.\n\n - DANE support moved from Experimental to mainline. The\n Makefile control for the build is renamed.\n\n - Fix memory leak during multi-message connections using\n STARTTLS.\n\n - Bug 2236: When a DKIM verification result is overridden\n by ACL, DMARC reported the original. Fix to report (as\n far as possible) the ACL result replacing the original.\n\n - Fix memory leak during multi-message connections using\n STARTTLS under OpenSSL\n\n - Bug 2242: Fix exim_dbmbuild to permit directoryless\n filenames.\n\n - Fix utf8_downconvert propagation through a redirect\n router.\n\n - Bug 2253: For logging delivery lines under PRDR, append\n the overall DATA response info to the (existing)\n per-recipient response info for the 'C=' log element.\n\n - Bug 2251: Fix ldap lookups that return a single\n attribute having zero- length value.\n\n - Support Avast multiline protocol, this allows passing\n flags to newer versions of the scanner.\n\n - Ensure that variables possibly set during message\n acceptance are marked dead before release of memory in\n the daemon loop.\n\n - Bug 2250: Fix a longstanding bug in heavily-pipelined\n SMTP input (such as a multi-recipient message from a\n mailinglist manager).\n\n - The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is\n withdrawn, being replaced by the $(authresults )\n expansion.\n\n - Bug 2257: Fix pipe transport to not use a socket-only\n syscall.\n\n - Set a handler for SIGTERM and call exit(3) if running as\n PID 1. This allows proper process termination in\n container environments.\n\n - Bug 2258: Fix spool_wireformat in combination with LMTP\n transport. Previously the 'final dot' had a newline\n after it; ensure it is CR,LF.\n\n - SPF: remove support for the 'spf' ACL condition outcome\n values 'err_temp' and 'err_perm', deprecated since 4.83\n when the RFC-defined words ' temperror' and 'permerror'\n were introduced.\n\n - Re-introduce enforcement of no cutthrough delivery on\n transports having transport-filters or DKIM-signing.\n\n - Cutthrough: for a final-dot response timeout (and\n nonunderstood responses) in defer=pass mode supply a 450\n to the initiator. Previously the message would be\n spooled.\n\n - DANE: add dane_require_tls_ciphers SMTP Transport\n option; if unset, tls_require_ciphers is used as before.\n\n - Malware Avast: Better match the Avast multiline\n protocol.\n\n - Fix reinitialisation of DKIM logging variable between\n messages.\n\n - Bug 2255: Revert the disable of the OpenSSL session\n caching.\n\n - Add util/renew-opendmarc-tlds.sh script for safe renewal\n of public suffix list.\n\n - DKIM: accept Ed25519 pubkeys in\n SubjectPublicKeyInfo-wrapped form, since the IETF WG has\n not yet settled on that versus the original 'bare'\n representation.\n\n - Fix syslog logging for syslog_timestamp=no and\n log_selector +millisec. Previously the millisecond value\n corrupted the output. Fix also for syslog_pid=no and\n log_selector +pid, for which the pid corrupted the\n output.\n\n - Replace xorg-x11-devel by individual pkgconfig()\n buildrequires. \n\n - update to 4.90.1\n\n - Allow PKG_CONFIG_PATH to be set in Local/Makefile and\n use it correctly during configuration. Wildcards are\n allowed and expanded.\n\n - Shorten the log line for daemon startup by collapsing\n adjacent sets of identical IP addresses on different\n listening ports. Will also affect 'exiwhat' output.\n\n - Tighten up the checking in isip4 (et al): dotted-quad\n components larger than 255 are no longer allowed.\n\n - Default openssl_options to include +no_ticket, to reduce\n load on peers. Disable the session-cache too, which\n might reduce our load. Since we currrectly use a new\n context for every connection, both as server and client,\n there is no benefit for these.\n\n - Add $SOURCE_DATE_EPOCH support for reproducible builds,\n per spec at\n <https://reproducible-builds.org/specs/source-date-epoch\n />.\n\n - Fix smtp transport use of limited max_rcpt under\n mua_wrapper. Previously the check for any unsuccessful\n recipients did not notice the limit, and erroneously\n found still-pending ones.\n\n - Pipeline CHUNKING command and data together, on kernels\n that support MSG_MORE. Only in-clear (not on TLS\n connections).\n\n - Avoid using a temporary file during transport using\n dkim. Unless a transport-filter is involved we can\n buffer the headers in memory for creating the signature,\n and read the spool data file once for the signature and\n again for transmission.\n\n - Enable use of sendfile in Linux builds as default. It\n was disabled in 4.77 as the kernel support then wasn't\n solid, having issues in 64bit mode. Now, it's been long\n enough. Add support for FreeBSD also.\n\n - Add commandline_checks_require_admin option.\n\n - Do pipelining under TLS.\n\n - For the 'sock' variant of the malware scanner interface,\n accept an empty cmdline element to get the documented\n default one. Previously it was inaccessible.\n\n - Prevent repeated use of -p/-oMr\n\n - DKIM: enforce the DNS pubkey record 'h' permitted-hashes\n optional field, if present.\n\n - DKIM: when a message has multiple signatures matching an\n identity given in dkim_verify_signers, run the dkim acl\n once for each.\n\n - Support IDNA2008.\n\n - The path option on a pipe transport is now expanded\n before use\n\n - Have the EHLO response advertise VRFY, if there is a\n vrfy ACL defined.\n\n - Several bug fixes\n\n - Fix for buffer overflow in base64decode() (boo#1079832\n CVE-2018-6789)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1079832\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171490\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171877\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1173693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185631\");\n script_set_attribute(attribute:\"see_also\", value:\"https://reproducible-builds.org/specs/source-date-epoch/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-15846\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exim-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exim-debuginfo-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exim-debugsource-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"eximon-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"eximon-debuginfo-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"eximstats-html-4.94.2-lp152.8.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-05-08T21:55:20", "description": "UPDATE\n\nResearchers are urging users to upgrade their Exim servers immediately after millions of servers were found to be vulnerable to a critical flaw that could allow a remote, unauthenticated attacker to take full control of them.\n\nExim, which is free software used on Unix-like operating systems (including Linux or Mac OSX) serves as a mail transfer agent that manages mail routing services for organizations. According to Shodan, Exim is the most used mail transfer agent globally and has over 5 million internet-facing hosts, meaning the attack surface for the flaw is massive.\n\nAll versions of Exim servers up to and including 4.92.1 have a serious flaw ([CVE-2019-15846](<https://nvd.nist.gov/vuln/detail/CVE-2019-15846>)) that could allow a local or remote attacker to execute arbitrary code with root privileges, which means that they could take full control of the impacted server. The vulnerability ranks 9.8 out of 10 on the CVSS scale, making it critical in severity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe Exim team has released version 4.92.2 to fix this vulnerability, and administrators are encouraged to upgrade as soon as possible,\u201d Ryan Seguin with Tenable said in a [Friday advisory](<https://www.tenable.com/blog/cve-2019-15846-unauthenticated-remote-command-execution-flaw-disclosed-for-exim>). \u201cWhile the official security advisory notes that disabling TLS does mitigate the vulnerability, it is strongly recommended not to do so.\u201d\n\nWhile no public exploit of the vulnerabilities have yet been reported, according to the [Exim team](<http://exim.org/static/doc/security/CVE-2019-15846.txt>), a rudimentary proof-of-concept (PoC) does exist (but has not been made public).\n\n\u201cWe can\u2019t confirm whether a PoC has been made public, but it\u2019s likely threat actors are working on developing their own as we speak,\u201d Seguin told Threatpost. \u201cBy exploiting these flaws, an attacker could capture all of the mail processed by the vulnerable Exim server. This is dangerous because of the sensitive information that is often sent through these services, including IPs and passwords. Anyone listening in long enough would likely gain keys to the kingdom, if they were patient.\u201d\n\nThe vulnerability stems from an issue with how Exim servers handles certain data during a TLS handshake.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/09092812/exim-RCE-flaw.png>)\n\nTotal number of Exim servers according to Shodan\n\nA TLS (Transport Layer Security) handshake starts off a communication session that utilizes TLS encryption. During the handshake, the two communicating sides exchange messages to verify one another. The specific data in question involves SNI (Server Name Indication), an extension through which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.\n\nIf an attacker creates specially crafted SNI data, the SMTP (Simple Mail Transfer Protocol) \u2013 the communication protocol for the email transmission \u2013 is susceptible to a buffer overflow, which would allow remote code execution on the vulnerable system.\n\n\u201cAs stated in the initial bug report by Zerons, an unauthenticated remote attacker could send a malicious SNI ending in a backslash-null sequence during the initial TLS handshake, which causes a buffer overflow in the SMTP delivery process,\u201d according to Seguin. \u201cThis would allow an attacker to inject malicious code that Exim then arbitrarily executes as root.\u201d\n\nSeguin told Threatpost that it\u2019s likely that anyone with enough skill could craft an exploit script from publicly available information: \u201cWe\u2019ve seen similar Exim vulnerabilities that have had public exploitation roughly a week after the initial disclosure,\u201d he said.\n\nSeguin noted that the default Exim configuration file does not have TLS enabled \u2013 however, most enterprises are required to enable TLS for internet traffic handling purposes. And, since the vulnerability does not depend on the TLS library in use, both GnuTLS and OpenSSL (popular software implementations of the TLS protocols) are affected.\n\nThe vulnerability was first reported by Zerons on July 21 (with a subsequent analysis coming from researchers at Qualys); and the flaw along with a patch was disclosed on Friday.\n\nThe Exim vulnerability rouses fears after a [similar vulnerability](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>) in June was exploited in a widespread campaign to gain remote command-execution on victims\u2019 Linux systems. Researchers said that currently more than 3.5 million servers were at risk from [the attacks](<https://threatpost.com/microsoft-pushes-azure-users-to-patch-linux-systems/145749/>), which used a wormable exploit.\n\nExim users are strongly urged to update to [version 4.92.2](<https://exim.org/index.html>); another option (though not recommended) is to disable TLS to mitigate against the vulnerability.\n\n\u201cIf you can\u2019t install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources we will support you in backporting the fix. (Please note, the Exim project officially doesn\u2019t support versions prior the current stable version),\u201d according to Exim\u2019s advisory.\n\n_This article was updated on Sept. 9 at 11am ET with further comments from Tenable about the vulnerability\u2019s impact._\n", "cvss3": {}, "published": "2019-09-09T14:01:18", "type": "threatpost", "title": "Critical Exim Flaw Opens Millions of Servers to Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-09T14:01:18", "id": "THREATPOST:2801F844BD0032CB3A28FA4801670E4C", "href": "https://threatpost.com/critical-exim-flaw-opens-millions-of-servers-to-takeover/148108/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-07-20T20:17:39", "description": "Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. If the Exim server accepts TLS connections, the vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake.\n\n \n**Recent assessments:** \n \n**mkienow-r7** at September 09, 2019 2:13pm UTC reported:\n\nExim is run on approximately 57% of the publicly reachable mail servers on the Internet, based on an August 2019 study performed by E-Soft, Inc. [1](<http://www.securityspace.com/s_survey/data/man.201907/mxsurvey.html>)\n\n**J3rryBl4nks** at March 03, 2020 4:27pm UTC reported:\n\nExim is run on approximately 57% of the publicly reachable mail servers on the Internet, based on an August 2019 study performed by E-Soft, Inc. [1](<http://www.securityspace.com/s_survey/data/man.201907/mxsurvey.html>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-06T00:00:00", "type": "attackerkb", "title": "Exim Unauthenticated Remote Code Execution via SNI Trailing Backslash", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2020-03-03T00:00:00", "id": "AKB:D2C5F192-F965-4D8E-8FCC-126183F9124A", "href": "https://attackerkb.com/topics/wSXxVHOwyV/exim-unauthenticated-remote-code-execution-via-sni-trailing-backslash", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-03T00:37:31", "description": "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-27T00:00:00", "type": "attackerkb", "title": "CVE-2019-16928", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846", "CVE-2019-16928"], "modified": "2021-07-22T00:00:00", "id": "AKB:11E60FE9-5634-4D2D-93AC-D08953B050DA", "href": "https://attackerkb.com/topics/N5jhQaZskE/cve-2019-16928", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-22T08:01:27", "description": "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.\n\n \n**Recent assessments:** \n \n**wchen-r7** at October 04, 2019 10:50pm UTC reported:\n\n# CVE-2019-16928: Exim EHLO Heap Overflow Vulnerability\n\n## Description\n\n[Exim](<https://www.exim.org/>) is an open source mail transfer agent (MTA) designed for receiving, routing, and delivering email messages. It is mostly installed on Unix-like systems, sometimes Microsoft Windows using Cygwin. [As of 2019](<http://www.securityspace.com/s_survey/data/man.201907/mxsurvey.html>), approximately 57% of the publicly reachable mail servers on the Internet ran Exim, therefore it is quite a popular software.\n\nA vulnerability was found in Exim by a Chinese security team called [QAX A-Team](<https://github.com/QAX-A-Team>), specifically related to the string_vformat() function not resizing a heap buffer correctly, resulting a heap overflow. Proof-of-concept is publicly available, and remote code execution could be possible. Since Exim has been widely used on the Internet, [media attention](<https://threatpost.com/critical-exim-flaw-opens-servers-to-remote-code-execution/148773/>) for the vulnerability was also high. More details about the potential impact can be found the [Project Sonar research](<https://blog.rapid7.com/2019/09/10/cve-2019-15846-privileged-remote-code-execution-vulnerability-in-the-exim-mailer-what-you-need-to-know/>) from Rapid7.\n\n## Technical Details\n\n### The Bug Report\n\nInitial information about the vulnerability can be traced to a ticket on Exim\u2019s BugZilla system, also known as [#2449](<https://bugs.exim.org/show_bug.cgi?id=2449>). In there, we can see that the vulnerability is described as a heap overflow in the string_vformat() function, which can be triggered with a EHLO command. A Python proof-of-concept is also available.\n\nA commit for the fix can also be found under the exim-4.92.2+fixes branch, which is a simple one-line change to the size argument for the `gstring_grow` in file string.c:\n \n \n // string.c:1593\t\n gstring_grow(g, g->ptr, width - (lim - g->ptr)); // Vulnerable version\n gstring_grow(g, g->ptr, width); // Patched version\n \n\nNow that the bug seems pretty legit, let\u2019s go ahead and set up a box for debugging purposes.\n\n## Vulnerable Setup\n\nThe Exim source can be downloaded and compiled on a Unix-based machine. In my case, I set up a Ubuntu 18 box, with the following prepared:\n \n \n sudo apt update && apt install build-essential clang libdb-dev libperl-dev libsasl2-dev libxt-dev libxaw7-dev\n \n\nAnd then I got the 4.92.2 version:\n \n \n wget http://exim.mirror.colo-serv.net/exim/exim4/old/exim-4.92.2.tar.xz\n \n\nTo build Exim, a Makefile needs to be created, and the easier way is by doing this in the Exim folder (also, remember to set the EXIM_USER option in the file):\n \n \n cp src/EDITME Local/Makefile && cp exim_monitor/EDITME Local/eximon.conf\n \n\nFor debugging purposes, I compiled Exim as a \u201cPIE\u201d binary with AddressSanitizer:\n \n \n CC=clang CFLAGS+=\" -g -fPIC -fsanitize=address\" ASAN_LIBS+=\"-static-libasan\" ASAN_FLAGS+=\"-fsanitize=address -fno-omit-frame-pointer\" FULLECHO='' LFLAGS+=\"-L/usr/lib/llvm-6.0/lib/clang/6.0.0/lib/linux/ -lasan -pie\" ASAN_OPTIONS=detect_leaks=0:symbolize=1 LDFLAGS+=\" -lasan -pie -ldl -lm -lcrypt\" LD_PRELOAD+=\"/usr/lib/gcc/x86_64-linux-gnu/7/libasan.so\" LIBS+=\"-lasan -pie\" make -e clean all\n \n\nNote: For some reason, I couldn\u2019t really compile Exim with GCC with AddressSanitizer, and clang ended up being a much easier choice.\n\nAfter that, the Exim binary can be found in the `build-Linux-x86_64` directory. Typically, I prefer to verify that I compiled something correctly (such as PIE and ASAN states), so in this case I used [pwntools](<https://github.com/Gallopsled/pwntools>) to check this:\n \n \n $ python pwntools/pwnlib/commandline/checksec.py exim-4.92.2/build-Linux-x86_64/exim\n [*] '/home/wchen/Desktop/exim-4.92.2/build-Linux-x86_64/exim'\n Arch: amd64-64-little\n RELRO: Partial RELRO\n Stack: No canary found\n NX: NX enabled\n PIE: PIE enabled\n ASAN: Enabled\n \n\nAnd finally, start Exim as a foreground process:\n \n \n sudo build-Linux-x86_64/exim -bd -d\n \n\n### Code Analysis\n\nLooking at the bug report, the patched code actually comes from a function called `string_vformat`. The purpose of it is to build or append to a custom string object that can automatically grow if necessary, and it is declared this way:\n \n \n gstring* string_vformat(gstring * g, BOOL extend, const char *format, va_list ap)\n \n\nThe `gstring` argument is a custom structure that is defined in the structs.h file as follows (Line 29):\n \n \n gstring structure (structs.h:29)\n \n typedef struct gstring {\n int size; /* Current capacity of string memory */\n int ptr; /* Offset at which to append further chars */\n uschar * s; /* The string memory */\n } gstring;\n \n\nThe second argument for `string_vformat` is a boolean called `extend`. This is simply a flag that indicates whether the program wants the gstring to grow or not. And finally, there\u2019s a `format` and `va_list` argument, which is similar to how `sprint` works.\n\nThe second argument is an important piece to the puzzle, because the vulnerable code requires it to be true in order to trigger. In this case, the `string_vformat` function needs to grow gstring in order to make room for the input that it\u2019s handling, and then the gstring will tell the function which index to begin saving the new input. This idea can be demonstrated as below:\n\nFirst, let\u2019s say we have allocated a 10-byte buffer. Visually, the 00 (null byte) represents free space:\n \n \n Index: 0 1 2 3 4 5 6 7 8 9\n Buffer: [00 00 00 00 00 00 00 00 00 00]\n \n\nInitially, let\u2019s also say we already have some data in the buffer, a few \u201cA\u201d characters. At this point, the offset at which to append further chars would be index 5:\n \n \n * Offset starts at 5\n Index: 0 1 2 3 4 5 6 7 8 9\n Buffer: [41 41 41 41 41 00 00 00 00 00]\n \n\nNow, we have a scenario where the new input is a bunch of \u201cB\u201ds that is also 10-byte long:\n \n \n char* input = \"BBBBBBBBBB\"; // In hex, these are 42 42 42...\n \n\nTo put that in the buffer, we need to grow it. So in theory what is new size for the adjusted buffer? The math is:\n \n \n strlen(input) + offset;\n \n\nAfter growing the buffer, it should look like this:\n \n \n * 5 = offset value\n Index: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14\n Buffer: [41 41 41 41 41 00 00 00 00 00 00 00 00 00 00]\n \n\nAnd finally, we have enough space to store the input:\n \n \n * 5 = offset value\n Index: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14\n Buffer: [41 41 41 41 41 42 42 42 42 42 42 42 42 42 42]\n \n\nKnowing this concept, it is much easier to understand the vulnerability. The reason of the overflow is because the size calculation is wrong. The `gstring_grow` function in Exim simply does not grow enough for gstring, as a result when it is storing the user supplied input from the EHLO command, it overflows, kind of like the following:\n \n \n * 5 = offset value\n Index: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14\n Buffer: [41 41 41 41 41 42 42 42 42 42 42 42 42 42 42] 42 42 42 42 42 ...\n ^ Overflow\n \n\nAlthough the vulnerability requires additional buffer growth, not every call to `string_vformat` sets the `extend` flag too true. Looking around, it looks like there are many possible ways to trigger it:\n\n * There are at least five functions that directly call `string_vformat` with the `extend` flag to true. \n\n * One of them is called `string_fmt_append`, and this function is used by about 56 other places through out the code base. \n\n\nThe scope here would be too time consuming to determine the actual vulnerable path, but we can narrow this down by a lot. All we need to do is figure out when the input enters the code, until when the vulnerable code triggers, then we can look into that code path:\n \n \n Input ---> Code path to be investigated ---> string_vformat with extend argument to TRUE\n \n\nIn the Exim log, we can get a hint on where the input sort of begins:\n \n \n 70289 SMTP>> 220 ubuntu ESMTP Exim 4.92.2 Fri, 04 Oct 2019 09:21:46 -0700\n 70289 Process 70289 is ready for new message\n 70289 smtp_setup_msg entered\n 70289 SMTP<< EHLO AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \n\nNotice that we see a \u201csmtp_setup_msg\u201d message first, and then the EHLO with our input. So if we search for that message and find the function printing it, we have a starting point:\n \n \n // smtp_in.c:3891\n int smtp_setup_msg(void)\n {\n int done = 0;\n BOOL toomany = FALSE;\n BOOL discarded = FALSE;\n BOOL last_was_rej_mail = FALSE;\n BOOL last_was_rcpt = FALSE;\n void *reset_point = store_get(0);\n \n DEBUG(D_receive) debug_printf(\"smtp_setup_msg entered\\n\");\n // ... code ...\n \n\nSo now, I guess we are looking for this type of code path:\n \n \n smtp_setup_msg() ---> Code path unknown --> string_vformat(gs, TRUE, format, ap);\n \n\nThis is the very vague version, but in reality the unknown code path is often a rabbit hole. A large codebase such as Exim definitely took me a lot of time to clean up the noises. One way to reverse engineer how point A might get to point B is by using some kind of flow graph. Honestly, I don\u2019t know if there is a good one for C/C++ source code, but you certainly do this with a plugin called [AlleyCat](<https://github.com/devttys0/ida/tree/master/plugins/alleycat>) from IDA Pro.\n\nThis is the graph I got that that shows how `smtp_setup_msg()` could get to `string_vformat`:\n\n\n\nLooking at this graph is kind of like finding a needle in a haystack, but if you use it like a map to aid code analysis, you\u2019re less likely to get lost in the rabbit hole. What\u2019s really funny is that out of this complex map, let me show you the actual path to trigger the vulnerable code:\n\n\n\nIn the end, we only need to look at three functions:\n\n 1. smtp_setup_msg() in smtp_in.c \n\n 2. string_fmt_append in string.c \n\n 3. string_vformat() in string.c (the vulnerable function) \n\n\nIn order to trigger step 2 (the string_fmt_append function), a `user_msg` variable also needs to be null. The `user_msg` is set from a function called `acl_check()` (in acl.c). The null return value indicates the check returns OK, so that means our HELO needs to fail the ACL check.\n\nAnother requirement of the vulnerability is that if Exim is able to look up and resolve an IP address, then it would not trigger. For testing purposes, the easier way to clear your /etc/resolve.conf.\n\nAnd finally, now with a good understanding of the vulnerable code path, we can verify all this with AddressSanitizer, and this concludes our analysis for CVE-2019-16928:\n \n \n ==56449==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000c598 at pc 0x7f8cd18048f9 bp 0x7ffe0bb4dea0 sp 0x7ffe0bb4d630\n WRITE of size 11294 at 0x62500000c598 thread T0\n #0 0x7f8cd18048f8 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8)\n #1 0x7f8cd1804c86 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86)\n #2 0x558f99fc796c in string_vformat /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/string.c:1602\n #3 0x558f99df7ee5 in debug_vprintf /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/debug.c:240\n #4 0x558f99df6a3a in debug_printf /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/debug.c:165\n #5 0x558f99ebeb20 in host_build_sender_fullhost /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/host.c:662\n #6 0x558f99f9801a in smtp_setup_msg /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/smtp_in.c:4178\n #7 0x558f99df0236 in handle_smtp_call /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/daemon.c:504\n #8 0x558f99dec11f in daemon_go /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/daemon.c:2057\n #9 0x558f99e5b0e9 in main /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/exim.c:4670\n #10 0x7f8cd0386b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)\n #11 0x558f99dc05b9 in _start (/home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/exim+0x1125b9)\n \n 0x62500000c598 is located 0 bytes to the right of 9368-byte region [0x62500000a100,0x62500000c598)\n allocated by thread T0 here:\n #0 0x7f8cd1844b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)\n #1 0x558f99fbb78b in store_malloc_3 /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/store.c:544\n #2 0x558f99fba87c in store_get_3 /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/store.c:167\n #3 0x558f99fbd6f1 in store_newblock_3 /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/store.c:511\n #4 0x558f99fcaab0 in gstring_grow /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/string.c:1163\n #5 0x558f99fc781b in string_vformat /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/string.c:1597\n #6 0x558f99df7ee5 in debug_vprintf /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/debug.c:240\n #7 0x558f99df6a3a in debug_printf /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/debug.c:165\n #8 0x558f99ebeb20 in host_build_sender_fullhost /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/host.c:662\n #9 0x558f99f9801a in smtp_setup_msg /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/smtp_in.c:4178\n #10 0x558f99df0236 in handle_smtp_call /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/daemon.c:504\n #11 0x558f99dec11f in daemon_go /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/daemon.c:2057\n #12 0x558f99e5b0e9 in main /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/exim.c:4670\n #13 0x7f8cd0386b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8) in __interceptor_vsprintf\n Shadow bytes around the buggy address:\n 0x0c4a7fff9860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c4a7fff9870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c4a7fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c4a7fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c4a7fff98a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n =>0x0c4a7fff98b0: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n ==56449==ABORTING\n \n\n## References\n\n * [Exim off by one RCE exploiting CVE-2018-6789](<https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/>) by Meh \n\n * [Fuzzing arbitrary functions in elf binaries](<https://blahcat.github.io/2018/03/11/fuzzing-arbitrary-functions-in-elf-binaries/>) by hugsy \n\n * [Exim CVE-2019-16928 Bug Report](<https://bugs.exim.org/show_bug.cgi?id=2449>) \n\n * [The patch diff for CVE-2019-16928](<https://github.com/Exim/exim/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f#diff-2df79c106af94fb3d05bc3f75d7f2abbL1133-L1590>) \n\n * [Exim4 string_format Heap Buffer Overflow Exploit Example](<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/exim4_string_format.rb>) \n\n * [Exim Archive](<http://exim.mirror.colo-serv.net/exim/exim4/old/>) \n\n * [Example of building and install Exim](<https://www.lisenet.com/2015/compile-and-install-exim-from-source-with-ldap-and-mysql-lookup-support-on-ubuntu-14-04/>)\n\n**busterb** at October 02, 2019 10:34pm UTC reported:\n\n# CVE-2019-16928: Exim EHLO Heap Overflow Vulnerability\n\n## Description\n\n[Exim](<https://www.exim.org/>) is an open source mail transfer agent (MTA) designed for receiving, routing, and delivering email messages. It is mostly installed on Unix-like systems, sometimes Microsoft Windows using Cygwin. [As of 2019](<http://www.securityspace.com/s_survey/data/man.201907/mxsurvey.html>), approximately 57% of the publicly reachable mail servers on the Internet ran Exim, therefore it is quite a popular software.\n\nA vulnerability was found in Exim by a Chinese security team called [QAX A-Team](<https://github.com/QAX-A-Team>), specifically related to the string_vformat() function not resizing a heap buffer correctly, resulting a heap overflow. Proof-of-concept is publicly available, and remote code execution could be possible. Since Exim has been widely used on the Internet, [media attention](<https://threatpost.com/critical-exim-flaw-opens-servers-to-remote-code-execution/148773/>) for the vulnerability was also high. More details about the potential impact can be found the [Project Sonar research](<https://blog.rapid7.com/2019/09/10/cve-2019-15846-privileged-remote-code-execution-vulnerability-in-the-exim-mailer-what-you-need-to-know/>) from Rapid7.\n\n## Technical Details\n\n### The Bug Report\n\nInitial information about the vulnerability can be traced to a ticket on Exim\u2019s BugZilla system, also known as [#2449](<https://bugs.exim.org/show_bug.cgi?id=2449>). In there, we can see that the vulnerability is described as a heap overflow in the string_vformat() function, which can be triggered with a EHLO command. A Python proof-of-concept is also available.\n\nA commit for the fix can also be found under the exim-4.92.2+fixes branch, which is a simple one-line change to the size argument for the `gstring_grow` in file string.c:\n \n \n // string.c:1593\t\n gstring_grow(g, g->ptr, width - (lim - g->ptr)); // Vulnerable version\n gstring_grow(g, g->ptr, width); // Patched version\n \n\nNow that the bug seems pretty legit, let\u2019s go ahead and set up a box for debugging purposes.\n\n## Vulnerable Setup\n\nThe Exim source can be downloaded and compiled on a Unix-based machine. In my case, I set up a Ubuntu 18 box, with the following prepared:\n \n \n sudo apt update && apt install build-essential clang libdb-dev libperl-dev libsasl2-dev libxt-dev libxaw7-dev\n \n\nAnd then I got the 4.92.2 version:\n \n \n wget http://exim.mirror.colo-serv.net/exim/exim4/old/exim-4.92.2.tar.xz\n \n\nTo build Exim, a Makefile needs to be created, and the easier way is by doing this in the Exim folder (also, remember to set the EXIM_USER option in the file):\n \n \n cp src/EDITME Local/Makefile && cp exim_monitor/EDITME Local/eximon.conf\n \n\nFor debugging purposes, I compiled Exim as a \u201cPIE\u201d binary with AddressSanitizer:\n \n \n CC=clang CFLAGS+=\" -g -fPIC -fsanitize=address\" ASAN_LIBS+=\"-static-libasan\" ASAN_FLAGS+=\"-fsanitize=address -fno-omit-frame-pointer\" FULLECHO='' LFLAGS+=\"-L/usr/lib/llvm-6.0/lib/clang/6.0.0/lib/linux/ -lasan -pie\" ASAN_OPTIONS=detect_leaks=0:symbolize=1 LDFLAGS+=\" -lasan -pie -ldl -lm -lcrypt\" LD_PRELOAD+=\"/usr/lib/gcc/x86_64-linux-gnu/7/libasan.so\" LIBS+=\"-lasan -pie\" make -e clean all\n \n\nNote: For some reason, I couldn\u2019t really compile Exim with GCC with AddressSanitizer, and clang ended up being a much easier choice.\n\nAfter that, the Exim binary can be found in the `build-Linux-x86_64` directory. Typically, I prefer to verify that I compiled something correctly (such as PIE and ASAN states), so in this case I used [pwntools](<https://github.com/Gallopsled/pwntools>) to check this:\n \n \n $ python pwntools/pwnlib/commandline/checksec.py exim-4.92.2/build-Linux-x86_64/exim\n [*] '/home/wchen/Desktop/exim-4.92.2/build-Linux-x86_64/exim'\n Arch: amd64-64-little\n RELRO: Partial RELRO\n Stack: No canary found\n NX: NX enabled\n PIE: PIE enabled\n ASAN: Enabled\n \n\nAnd finally, start Exim as a foreground process:\n \n \n sudo build-Linux-x86_64/exim -bd -d\n \n\n### Code Analysis\n\nLooking at the bug report, the patched code actually comes from a function called `string_vformat`. The purpose of it is to build or append to a custom string object that can automatically grow if necessary, and it is declared this way:\n \n \n gstring* string_vformat(gstring * g, BOOL extend, const char *format, va_list ap)\n \n\nThe `gstring` argument is a custom structure that is defined in the structs.h file as follows (Line 29):\n \n \n gstring structure (structs.h:29)\n \n typedef struct gstring {\n int size; /* Current capacity of string memory */\n int ptr; /* Offset at which to append further chars */\n uschar * s; /* The string memory */\n } gstring;\n \n\nThe second argument for `string_vformat` is a boolean called `extend`. This is simply a flag that indicates whether the program wants the gstring to grow or not. And finally, there\u2019s a `format` and `va_list` argument, which is similar to how `sprint` works.\n\nThe second argument is an important piece to the puzzle, because the vulnerable code requires it to be true in order to trigger. In this case, the `string_vformat` function needs to grow gstring in order to make room for the input that it\u2019s handling, and then the gstring will tell the function which index to begin saving the new input. This idea can be demonstrated as below:\n\nFirst, let\u2019s say we have allocated a 10-byte buffer. Visually, the 00 (null byte) represents free space:\n \n \n Index: 0 1 2 3 4 5 6 7 8 9\n Buffer: [00 00 00 00 00 00 00 00 00 00]\n \n\nInitially, let\u2019s also say we already have some data in the buffer, a few \u201cA\u201d characters. At this point, the offset at which to append further chars would be index 5:\n \n \n * Offset starts at 5\n Index: 0 1 2 3 4 5 6 7 8 9\n Buffer: [41 41 41 41 41 00 00 00 00 00]\n \n\nNow, we have a scenario where the new input is a bunch of \u201cB\u201ds that is also 10-byte long:\n \n \n char* input = \"BBBBBBBBBB\"; // In hex, these are 42 42 42...\n \n\nTo put that in the buffer, we need to grow it. So in theory what is new size for the adjusted buffer? The math is:\n \n \n strlen(input) + offset;\n \n\nAfter growing the buffer, it should look like this:\n \n \n * 5 = offset value\n Index: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14\n Buffer: [41 41 41 41 41 00 00 00 00 00 00 00 00 00 00]\n \n\nAnd finally, we have enough space to store the input:\n \n \n * 5 = offset value\n Index: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14\n Buffer: [41 41 41 41 41 42 42 42 42 42 42 42 42 42 42]\n \n\nKnowing this concept, it is much easier to understand the vulnerability. The reason of the overflow is because the size calculation is wrong. The `gstring_grow` function in Exim simply does not grow enough for gstring, as a result when it is storing the user supplied input from the EHLO command, it overflows, kind of like the following:\n \n \n * 5 = offset value\n Index: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14\n Buffer: [41 41 41 41 41 42 42 42 42 42 42 42 42 42 42] 42 42 42 42 42 ...\n ^ Overflow\n \n\nAlthough the vulnerability requires additional buffer growth, not every call to `string_vformat` sets the `extend` flag too true. Looking around, it looks like there are many possible ways to trigger it:\n\n * There are at least five functions that directly call `string_vformat` with the `extend` flag to true. \n\n * One of them is called `string_fmt_append`, and this function is used by about 56 other places through out the code base. \n\n\nThe scope here would be too time consuming to determine the actual vulnerable path, but we can narrow this down by a lot. All we need to do is figure out when the input enters the code, until when the vulnerable code triggers, then we can look into that code path:\n \n \n Input ---> Code path to be investigated ---> string_vformat with extend argument to TRUE\n \n\nIn the Exim log, we can get a hint on where the input sort of begins:\n \n \n 70289 SMTP>> 220 ubuntu ESMTP Exim 4.92.2 Fri, 04 Oct 2019 09:21:46 -0700\n 70289 Process 70289 is ready for new message\n 70289 smtp_setup_msg entered\n 70289 SMTP<< EHLO AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n \n\nNotice that we see a \u201csmtp_setup_msg\u201d message first, and then the EHLO with our input. So if we search for that message and find the function printing it, we have a starting point:\n \n \n // smtp_in.c:3891\n int smtp_setup_msg(void)\n {\n int done = 0;\n BOOL toomany = FALSE;\n BOOL discarded = FALSE;\n BOOL last_was_rej_mail = FALSE;\n BOOL last_was_rcpt = FALSE;\n void *reset_point = store_get(0);\n \n DEBUG(D_receive) debug_printf(\"smtp_setup_msg entered\\n\");\n // ... code ...\n \n\nSo now, I guess we are looking for this type of code path:\n \n \n smtp_setup_msg() ---> Code path unknown --> string_vformat(gs, TRUE, format, ap);\n \n\nThis is the very vague version, but in reality the unknown code path is often a rabbit hole. A large codebase such as Exim definitely took me a lot of time to clean up the noises. One way to reverse engineer how point A might get to point B is by using some kind of flow graph. Honestly, I don\u2019t know if there is a good one for C/C++ source code, but you certainly do this with a plugin called [AlleyCat](<https://github.com/devttys0/ida/tree/master/plugins/alleycat>) from IDA Pro.\n\nThis is the graph I got that that shows how `smtp_setup_msg()` could get to `string_vformat`:\n\n\n\nLooking at this graph is kind of like finding a needle in a haystack, but if you use it like a map to aid code analysis, you\u2019re less likely to get lost in the rabbit hole. What\u2019s really funny is that out of this complex map, let me show you the actual path to trigger the vulnerable code:\n\n\n\nIn the end, we only need to look at three functions:\n\n 1. smtp_setup_msg() in smtp_in.c \n\n 2. string_fmt_append in string.c \n\n 3. string_vformat() in string.c (the vulnerable function) \n\n\nIn order to trigger step 2 (the string_fmt_append function), a `user_msg` variable also needs to be null. The `user_msg` is set from a function called `acl_check()` (in acl.c). The null return value indicates the check returns OK, so that means our HELO needs to fail the ACL check.\n\nAnother requirement of the vulnerability is that if Exim is able to look up and resolve an IP address, then it would not trigger. For testing purposes, the easier way to clear your /etc/resolve.conf.\n\nAnd finally, now with a good understanding of the vulnerable code path, we can verify all this with AddressSanitizer, and this concludes our analysis for CVE-2019-16928:\n \n \n ==56449==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000c598 at pc 0x7f8cd18048f9 bp 0x7ffe0bb4dea0 sp 0x7ffe0bb4d630\n WRITE of size 11294 at 0x62500000c598 thread T0\n #0 0x7f8cd18048f8 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8)\n #1 0x7f8cd1804c86 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86)\n #2 0x558f99fc796c in string_vformat /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/string.c:1602\n #3 0x558f99df7ee5 in debug_vprintf /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/debug.c:240\n #4 0x558f99df6a3a in debug_printf /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/debug.c:165\n #5 0x558f99ebeb20 in host_build_sender_fullhost /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/host.c:662\n #6 0x558f99f9801a in smtp_setup_msg /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/smtp_in.c:4178\n #7 0x558f99df0236 in handle_smtp_call /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/daemon.c:504\n #8 0x558f99dec11f in daemon_go /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/daemon.c:2057\n #9 0x558f99e5b0e9 in main /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/exim.c:4670\n #10 0x7f8cd0386b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)\n #11 0x558f99dc05b9 in _start (/home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/exim+0x1125b9)\n \n 0x62500000c598 is located 0 bytes to the right of 9368-byte region [0x62500000a100,0x62500000c598)\n allocated by thread T0 here:\n #0 0x7f8cd1844b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)\n #1 0x558f99fbb78b in store_malloc_3 /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/store.c:544\n #2 0x558f99fba87c in store_get_3 /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/store.c:167\n #3 0x558f99fbd6f1 in store_newblock_3 /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/store.c:511\n #4 0x558f99fcaab0 in gstring_grow /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/string.c:1163\n #5 0x558f99fc781b in string_vformat /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/string.c:1597\n #6 0x558f99df7ee5 in debug_vprintf /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/debug.c:240\n #7 0x558f99df6a3a in debug_printf /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/debug.c:165\n #8 0x558f99ebeb20 in host_build_sender_fullhost /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/host.c:662\n #9 0x558f99f9801a in smtp_setup_msg /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/smtp_in.c:4178\n #10 0x558f99df0236 in handle_smtp_call /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/daemon.c:504\n #11 0x558f99dec11f in daemon_go /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/daemon.c:2057\n #12 0x558f99e5b0e9 in main /home/sinn3r/Desktop/exim-4.92.2/build-Linux-x86_64/exim.c:4670\n #13 0x7f8cd0386b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8) in __interceptor_vsprintf\n Shadow bytes around the buggy address:\n 0x0c4a7fff9860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c4a7fff9870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c4a7fff9880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c4a7fff9890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c4a7fff98a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n =>0x0c4a7fff98b0: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c4a7fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n ==56449==ABORTING\n \n\n## References\n\n * [Exim off by one RCE exploiting CVE-2018-6789](<https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/>) by Meh \n\n * [Fuzzing arbitrary functions in elf binaries](<https://blahcat.github.io/2018/03/11/fuzzing-arbitrary-functions-in-elf-binaries/>) by hugsy \n\n * [Exim CVE-2019-16928 Bug Report](<https://bugs.exim.org/show_bug.cgi?id=2449>) \n\n * [The patch diff for CVE-2019-16928](<https://github.com/Exim/exim/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f#diff-2df79c106af94fb3d05bc3f75d7f2abbL1133-L1590>) \n\n * [Exim4 string_format Heap Buffer Overflow Exploit Example](<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/exim4_string_format.rb>) \n\n * [Exim Archive](<http://exim.mirror.colo-serv.net/exim/exim4/old/>) \n\n * [Example of building and install Exim](<https://www.lisenet.com/2015/compile-and-install-exim-from-source-with-ldap-and-mysql-lookup-support-on-ubuntu-14-04/>)\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-27T00:00:00", "type": "attackerkb", "title": "Exim EHLO crash bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6789", "CVE-2019-15846", "CVE-2019-16928"], "modified": "2020-02-21T00:00:00", "id": "AKB:862DFB64-EE07-4F1F-B5F3-8F2C3A560A5F", "href": "https://attackerkb.com/topics/T6aghc4yib/exim-ehlo-crash-bug", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:07:04", "description": "Exim has released patches to address vulnerabilities affecting Exim 4.92.1 and prior versions. A remote attacker could exploit this vulnerability to take control of an affected email server.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Exim [CVE-2019-15846](<http://exim.org/static/doc/security/CVE-2019-15846.txt>) page and upgrade to Exim 4.92.2 or apply the necessary patches. CISA also encourages users and administrators to review the CERT Coordination Center's Vulnerability Note [VU#672565](<https://kb.cert.org/vuls/id/672565/>) for more information.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2019/09/06/exim-releases-security-patches>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-06T00:00:00", "type": "cisa", "title": "Exim Releases Security Patches", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-06T00:00:00", "id": "CISA:E78F5F17B998F270BB418FE7D7D08E2E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2019/09/06/exim-releases-security-patches", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-04-21T22:49:00", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n\n exim was updated to fix a security issue:\n\n - CVE-2019-15846: Fixed a buffer overflow in SMTP Delivery process where a\n remote attacker could execute code with root privileges by sending\n crafted SNI data (boo#1149182).\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-2093=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-2093=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-08T00:00:00", "type": "suse", "title": "Security update for exim (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-08T00:00:00", "id": "OPENSUSE-SU-2019:2093-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XVNKKLYCV6Q3DGRARHNWI7L6EZQDVH2S/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes 26 vulnerabilities is now available.\n\nDescription:\n\n This update for exim fixes the following issues:\n\n\n Exim was updated to exim-4.94.2\n\n security update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\n update to exim-4.94.1\n\n * Fix security issue in BDAT state confusion. Ensure we reset known-good\n where we know we need to not be reading BDAT data, as a general case\n fix, and move the places where we switch to BDAT mode until after\n various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list). Fixes CVE-2020-RCPTL\n reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an \"H\" was used where available info\n says that \"M\" should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly\n used as arguments, so an implementation trying to copy these into a\n local buffer was taking a taint-enforcement trap. Fix by using\n dynamically created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments\n is reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions \"dcc\",\n \"log_reject_target\", \"malware\" and \"spam\"; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it to\n doing nothing, silently, and returning good status.\n\n - update to exim 4.94\n * some transports now refuse to use tainted data in constructing their\n delivery location this WILL BREAK configurations which are not updated\n accordingly. In particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the Router to make it\n safe, should be updated to replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends\n with an asterisk (which is a standards-legal name) will now result in\n all headers named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the \"pam\" expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in\n the buffer size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in\n Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would\n always disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the \"pam\" expansion condition. It seems that\n the PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context.\n Previously\n on-stack buffers were used, resulting in a taint trap when DSN\n information copied from a received message was written into the\n buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit\n the nonexistent file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option. Also enforce\n no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities. The introduction of\n taint tracking also did many adjustments to string handling. Since\n then, eximon frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent\n and check for 452 responses. This slightly helps the inefficieny of\n doing a large alias-expansion into a recipient-limited target. The\n max_rcpt transport option still applies (and at the current default,\n will override the new feature). The check is done for either cause of\n synch, and forces a fast-retry of all 452'd recipients using a new\n MAIL FROM on the same connection. The new facility is not tunable at\n this time.\n * Fix the variables set by the gsasl authenticator. Previously a\n pointer to library live data was being used, so the results became\n garbage. Make copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in\n time for the expansion of the server_scram_iter and server_scram_salt\n options.\n\n spec file cleanup to make update work\n - add docdir to spec\n\n - update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to \"*\".\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to \"true\" under\n specific pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids name\n conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in\n string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code\n as root via a trailing backslash\n\n - update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could allow\n remote attackers to execute other programs with root privileges\n (boo#1142207)\n\n - spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * \"utf8_downconvert\" option (if built with SUPPORT_I18N)\n * \"pipelining\" log_selector\n * JSON variants for ${extract } expansion\n * \"noutf8\" debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n - add workaround patch for compile time error on missing printf format\n annotation (gnu_printf.patch)\n\n - update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the \"queue=\" ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME\n ACL.\n * The \"support for\" informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces\n compiled in. Interface can be individually included or not at build\n time.\n * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included\n by the template makefile \"src/EDITME\". The \"STREAM\" support for an\n older ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the\n number of rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n \"exim -d -bV\". Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined\n by routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen\n as a timeout on read on a GnuTLS initiating connection, resulting in\n the initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail\n ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line)\n and by skipping builtin macros when searching for an uppercase lead\n character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the \"C=\" log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to newer\n versions of the scanner.\n * Ensure that variables possibly set during message acceptance are\n marked dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the \"final dot\" had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the \"spf\" ACL condition outcome values\n \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined\n words \" temperror\" and \"permerror\" were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood\n responses) in defer=pass mode supply a 450 to the initiator.\n Previously the message would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n \"bare\" representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output. Fix also for\n syslog_pid=no and log_selector +pid, for which the pid corrupted the\n output.\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires.\n - update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n \"exiwhat\" output.\n * Tighten up the checking in isip4 (et al): dotted-quad components\n larger than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on\n peers. Disable the session-cache too, which might reduce our load.\n Since we currrectly use a new context for every connection, both as\n server and client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper.\n Previously the check for any unsuccessful recipients did not notice\n the limit, and erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the \"sock\" variant of the malware scanner interface, accept an\n empty cmdline element to get the documented default one. Previously\n it was inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional\n field, if present.\n * DKIM: when a message has multiple signatures matching an identity\n given in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n - Several bug fixes\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n\n This update was imported from the openSUSE:Leap:15.2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP2:\n\n zypper in -t patch openSUSE-2021-754=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-20T00:00:00", "type": "suse", "title": "Security update for exim (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2021-05-20T00:00:00", "id": "OPENSUSE-SU-2021:0754-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3FZPX7R5ELKQM2EW7W2JYZ7EFIIDTT4E/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes 26 vulnerabilities is now available.\n\nDescription:\n\n This update for exim fixes the following issues:\n\n\n Exim was updated to exim-4.94.2\n\n security update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\n update to exim-4.94.1\n\n * Fix security issue in BDAT state confusion. Ensure we reset known-good\n where we know we need to not be reading BDAT data, as a general case\n fix, and move the places where we switch to BDAT mode until after\n various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list). Fixes CVE-2020-RCPTL\n reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an \"H\" was used where available info\n says that \"M\" should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly\n used as arguments, so an implementation trying to copy these into a\n local buffer was taking a taint-enforcement trap. Fix by using\n dynamically created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments\n is reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions \"dcc\",\n \"log_reject_target\", \"malware\" and \"spam\"; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it to\n doing nothing, silently, and returning good status.\n\n - update to exim 4.94\n * some transports now refuse to use tainted data in constructing their\n delivery location this WILL BREAK configurations which are not updated\n accordingly. In particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the Router to make it\n safe, should be updated to replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends\n with an asterisk (which is a standards-legal name) will now result in\n all headers named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the \"pam\" expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in\n the buffer size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in\n Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would\n always disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the \"pam\" expansion condition. It seems that\n the PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context.\n Previously\n on-stack buffers were used, resulting in a taint trap when DSN\n information copied from a received message was written into the\n buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit\n the nonexistent file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option. Also enforce\n no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities. The introduction of\n taint tracking also did many adjustments to string handling. Since\n then, eximon frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent\n and check for 452 responses. This slightly helps the inefficieny of\n doing a large alias-expansion into a recipient-limited target. The\n max_rcpt transport option still applies (and at the current default,\n will override the new feature). The check is done for either cause of\n synch, and forces a fast-retry of all 452'd recipients using a new\n MAIL FROM on the same connection. The new facility is not tunable at\n this time.\n * Fix the variables set by the gsasl authenticator. Previously a\n pointer to library live data was being used, so the results became\n garbage. Make copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in\n time for the expansion of the server_scram_iter and server_scram_salt\n options.\n\n spec file cleanup to make update work\n - add docdir to spec\n\n - update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to \"*\".\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to \"true\" under\n specific pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids name\n conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in\n string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code\n as root via a trailing backslash\n\n - update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could allow\n remote attackers to execute other programs with root privileges\n (boo#1142207)\n\n - spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * \"utf8_downconvert\" option (if built with SUPPORT_I18N)\n * \"pipelining\" log_selector\n * JSON variants for ${extract } expansion\n * \"noutf8\" debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n - add workaround patch for compile time error on missing printf format\n annotation (gnu_printf.patch)\n\n - update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the \"queue=\" ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME\n ACL.\n * The \"support for\" informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces\n compiled in. Interface can be individually included or not at build\n time.\n * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included\n by the template makefile \"src/EDITME\". The \"STREAM\" support for an\n older ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the\n number of rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n \"exim -d -bV\". Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined\n by routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen\n as a timeout on read on a GnuTLS initiating connection, resulting in\n the initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail\n ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line)\n and by skipping builtin macros when searching for an uppercase lead\n character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the \"C=\" log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to newer\n versions of the scanner.\n * Ensure that variables possibly set during message acceptance are\n marked dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the \"final dot\" had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the \"spf\" ACL condition outcome values\n \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined\n words \" temperror\" and \"permerror\" were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood\n responses) in defer=pass mode supply a 450 to the initiator.\n Previously the message would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n \"bare\" representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output. Fix also for\n syslog_pid=no and log_selector +pid, for which the pid corrupted the\n output.\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires.\n - update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n \"exiwhat\" output.\n * Tighten up the checking in isip4 (et al): dotted-quad components\n larger than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on\n peers. Disable the session-cache too, which might reduce our load.\n Since we currrectly use a new context for every connection, both as\n server and client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper.\n Previously the check for any unsuccessful recipients did not notice\n the limit, and erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the \"sock\" variant of the malware scanner interface, accept an\n empty cmdline element to get the documented default one. Previously\n it was inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional\n field, if present.\n * DKIM: when a message has multiple signatures matching an identity\n given in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n - Several bug fixes\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-677=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T00:00:00", "type": "suse", "title": "Security update for exim (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2021-05-07T00:00:00", "id": "OPENSUSE-SU-2021:0677-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4UGIR4NXSH3ADTQNJZHHL5EVSFNXRGTQ/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes 30 vulnerabilities is now available.\n\nDescription:\n\n This update for exim fixes the following issues:\n\n exim was updated to 4.94.2:\n\n security update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\n update to exim-4.94.1\n\n * Fix security issue in BDAT state confusion. Ensure we reset known-good\n where we know we need to not be reading BDAT data, as a general case\n fix, and move the places where we switch to BDAT mode until after\n various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list). Fixes CVE-2020-RCPTL\n reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an \"H\" was used where available info\n says that \"M\" should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly\n used as arguments, so an implementation trying to copy these into a\n local buffer was taking a taint-enforcement trap. Fix by using\n dynamically created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments\n is reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions \"dcc\",\n \"log_reject_target\", \"malware\" and \"spam\"; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it to\n doing nothing, silently, and returning good status.\n\n update to exim 4.94\n\n * some transports now refuse to use tainted data in constructing their\n delivery location this WILL BREAK configurations which are not updated\n accordingly. In particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the Router to make it\n safe, should be updated to replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends\n with an asterisk (which is a standards-legal name) will now result in\n all headers named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the \"pam\" expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in\n the buffer size, when this authenticator is compiled into exim.\n\n - don't create logfiles during install\n * fixes CVE-2020-8015 (boo#1154183)\n\n - add a spec-file workaround for boo#1160726\n\n - update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in\n Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would\n always disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the \"pam\" expansion condition. It seems that\n the PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context.\n Previously\n on-stack buffers were used, resulting in a taint trap when DSN\n information copied from a received message was written into the\n buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit\n the nonexistent file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option. Also enforce\n no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities. The introduction of\n taint tracking also did many adjustments to string handling. Since\n then, eximon frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent\n and check for 452 responses. This slightly helps the inefficieny of\n doing a large alias-expansion into a recipient-limited target. The\n max_rcpt transport option still applies (and at the current default,\n will override the new feature). The check is done for either cause of\n synch, and forces a fast-retry of all 452'd recipients using a new\n MAIL FROM on the same connection. The new facility is not tunable at\n this time.\n * Fix the variables set by the gsasl authenticator. Previously a\n pointer to library live data was being used, so the results became\n garbage. Make copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in\n time for the expansion of the server_scram_iter and server_scram_salt\n options.\n\n spec file cleanup to make update work\n - add docdir to spec\n\n - update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to \"*\".\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to \"true\" under\n specific pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids name\n conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in\n string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code\n as root via a trailing backslash\n\n - update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could allow\n remote attackers to execute other programs with root privileges\n (boo#1142207)\n\n - spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * \"utf8_downconvert\" option (if built with SUPPORT_I18N)\n * \"pipelining\" log_selector\n * JSON variants for ${extract } expansion\n * \"noutf8\" debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n - add workaround patch for compile time error on missing printf format\n annotation (gnu_printf.patch)\n\n - update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the \"queue=\" ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME\n ACL.\n * The \"support for\" informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces\n compiled in. Interface can be individually included or not at build\n time.\n * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included\n by the template makefile \"src/EDITME\". The \"STREAM\" support for an\n older ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the\n number of rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n \"exim -d -bV\". Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined\n by routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen\n as a timeout on read on a GnuTLS initiating connection, resulting in\n the initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail\n ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line)\n and by skipping builtin macros when searching for an uppercase lead\n character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the \"C=\" log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to newer\n versions of the scanner.\n * Ensure that variables possibly set during message acceptance are\n marked dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the \"final dot\" had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the \"spf\" ACL condition outcome values\n \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined\n words \" temperror\" and \"permerror\" were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood\n responses) in defer=pass mode supply a 450 to the initiator.\n Previously the message would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n \"bare\" representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output. Fix also for\n syslog_pid=no and log_selector +pid, for which the pid corrupted the\n output.\n\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires.\n\n - update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n \"exiwhat\" output.\n * Tighten up the checking in isip4 (et al): dotted-quad components\n larger than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on\n peers. Disable the session-cache too, which might reduce our load.\n Since we currrectly use a new context for every connection, both as\n server and client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper.\n Previously the check for any unsuccessful recipients did not notice\n the limit, and erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the \"sock\" variant of the malware scanner interface, accept an\n empty cmdline element to get the documented default one. Previously\n it was inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional\n field, if present.\n * DKIM: when a message has multiple signatures matching an identity\n given in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n - Several bug fixes\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP1:\n\n zypper in -t patch openSUSE-2021-753=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-20T00:00:00", "type": "suse", "title": "Security update for exim (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2020-8015"], "modified": "2021-05-20T00:00:00", "id": "OPENSUSE-SU-2021:0753-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UMX36VOLIS2TDKA3MXOUO365NDUK5WQ3/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2021-07-28T14:34:00", "description": "Arch Linux Security Advisory ASA-201909-3\n=========================================\n\nSeverity: Critical\nDate : 2019-09-06\nCVE-ID : CVE-2019-15846\nPackage : exim\nType : arbitrary command execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1037\n\nSummary\n=======\n\nThe package exim before version 4.92.2-1 is vulnerable to arbitrary\ncommand execution.\n\nResolution\n==========\n\nUpgrade to 4.92.2-1.\n\n# pacman -Syu \"exim>=4.92.2-1\"\n\nThe problem has been fixed upstream in version 4.92.2.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nExim before 4.92.2 allows remote attackers to execute arbitrary code as\nroot via a trailing backslash.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary commands with root\nprivileges.\n\nReferences\n==========\n\nhttps://exim.org/static/doc/security/CVE-2019-15846.txt\nhttps://security.archlinux.org/CVE-2019-15846", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-06T00:00:00", "type": "archlinux", "title": "[ASA-201909-3] exim: arbitrary command execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-06T00:00:00", "id": "ASA-201909-3", "href": "https://security.archlinux.org/ASA-201909-3", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2022-01-04T11:37:19", "description": "USN-4124-1 fixed a vulnerability in Exim. This update provides \nthe corresponding update for Ubuntu 14.04 ESM.\n\nOriginal advisory details:\n\nIt was discovered that Exim incorrectly handled certain decoding \noperations. A remote attacker could possibly use this issue to execute \narbitrary commands.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-16T00:00:00", "type": "ubuntu", "title": "Exim vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-16T00:00:00", "id": "USN-4124-2", "href": "https://ubuntu.com/security/notices/USN-4124-2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-04T11:37:58", "description": "It was discovered that Exim incorrectly handled certain decoding \noperations. A remote attacker could possibly use this issue to execute \narbitrary commands.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-06T00:00:00", "type": "ubuntu", "title": "Exim vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-06T00:00:00", "id": "USN-4124-1", "href": "https://ubuntu.com/security/notices/USN-4124-1", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2022-05-23T07:40:57", "description": "Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-06T11:15:00", "type": "debiancve", "title": "CVE-2019-15846", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-06T11:15:00", "id": "DEBIANCVE:CVE-2019-15846", "href": "https://security-tracker.debian.org/tracker/CVE-2019-15846", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-23T07:40:57", "description": "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-27T21:15:00", "type": "debiancve", "title": "CVE-2019-16928", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846", "CVE-2019-16928"], "modified": "2019-09-27T21:15:00", "id": "DEBIANCVE:CVE-2019-16928", "href": "https://security-tracker.debian.org/tracker/CVE-2019-16928", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2022-06-08T08:11:40", "description": "An out-of-bounds write flaw was found in exim. The function fails to correctly handle situations when a backslash is the last character of the input string and incorrectly sets the pointer that is supposed to point to the last character of the escape sequence upon function exit. That leads to out-of-bounds read when the caller attempts to process the input string following the escape sequence. Additionally, this may lead to out-of-bounds write when unescaped string is written (to the same or different buffer).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-06T14:51:18", "type": "redhatcve", "title": "CVE-2019-15846", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2022-06-08T06:28:48", "id": "RH:CVE-2019-15846", "href": "https://access.redhat.com/security/cve/cve-2019-15846", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:29:50", "description": "Exim before 4.92.2 allows remote attackers to execute arbitrary code as\nroot via a trailing backslash.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1843041>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-06T00:00:00", "type": "ubuntucve", "title": "CVE-2019-15846", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-06T00:00:00", "id": "UB:CVE-2019-15846", "href": "https://ubuntu.com/security/CVE-2019-15846", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2021-09-28T17:53:10", "description": "### Overview\n\nExim versions up to and including 4.92.1 do not properly handle trailing backslash characters in the `string_interpret_escape()` function. This function is used to handle peer distinguished names (DN) and Sever Name Indication (SNI) during a TLS negotiation. This vulnerability could allow a local or remote unauthenticated attacker to execute arbitrary code with root privileges.\n\n### Description\n\nExim is a message transfer agent (MTA) that can be used on Unix-like operating systems. All versions up to and including 4.92.1 of Exim do not properly handle trailing backslash characters in the `string_interpret_escape()` function, which is used to process peer DN and SNI during a TLS negotiation. In cases where the string being processed ends with a '`\\`' character, the vulnerable `string_interpret_escape()` function will interpret the string-terminating null byte as a value to be escaped, thus incrementing the string pointer to the byte after the string to be processed. If the attacker-provided data is crafted in a certain way, this out-of-bounds pointer can be leveraged to cause a heap overflow.\n\nExim installations configured to allow TLS connections, which can happen either via the SMTP STARTTLS command or via TLS-on-connect, can process attacker-provided data in the TLS SNI information. Exim installations that are configured to process client-provided certificates may also be exploitable via a crafted TLS peer DN. \n \n--- \n \n### Impact\n\nBy causing a vulnerable Exim server to process an SMTP email message, a local or remote unauthenticated attacker may be able to execute arbitrary code with root privileges. \n \n--- \n \n### Solution\n\n**Apply an update** \nThis vulnerability is addressed in Exim 4.92.2. For further information see the Exim [advisory](<https://www.exim.org/static/doc/security/CVE-2019-15846.txt>) for CVE-2019-15846. \n \n--- \n \n**Use ACLs to block attack attempts** \nThe Exim [advisory](<https://www.exim.org/static/doc/security/CVE-2019-15846.txt>) provides ACLs to deny email messages with trailing backslashes in TLS SNI or peer DN fields:\n\n`# to be prepended to your mail acl (the ACL referenced` \n`# by the acl_smtp_mail main config option)` \n`deny condition = ${if eq{\\\\}{${substr{-1}{1}{$tls_in_sni}}}}` \n`deny condition = ${if eq{\\\\}{${substr{-1}{1}{$tls_in_peerdn}}}}` \n--- \n \n### Vendor Information\n\n672565\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Exim Affected\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.exim.org/static/doc/security/CVE-2019-15846.txt>\n * <https://github.com/Exim/exim/tree/exim-4.92.2%2Bfixes/doc/doc-txt/cve-2019-15846>\n\n### Ubuntu __ Affected\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n**Statement Date: September 06, 2019**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\n`Ubuntu has released updates for Exim that address CVE-2019-15846 in \n`[`https://usn.ubuntu.com/4124-1/`](<https://usn.ubuntu.com/4124-1/>)\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://usn.ubuntu.com/4124-1/>\n\n### Arista Networks, Inc. __ Not Affected\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n**Statement Date: September 06, 2019**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nArista products do not use the exim mail server\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### CoreOS __ Not Affected\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n**Statement Date: September 06, 2019**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nCoreOS Container Linux is not vulnerable.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Red Hat, Inc. __ Not Affected\n\nNotified: September 06, 2019 Updated: September 09, 2019 \n\n**Statement Date: September 09, 2019**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nEven though the version of Exim as shipped with Red Hat Enterprise Linux 5 (only affected RedHat product includes the affected function), it does not expose the buffer overflow problem and is not affected by the remote code execution flaw.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Synology __ Not Affected\n\nNotified: September 06, 2019 Updated: September 10, 2019 \n\n**Statement Date: September 10, 2019**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nSynology does not employ Exim for our products, including MailPlus [1] and Mail Station [2].\n\n### Vendor References\n\n * [http[1]](<http\\[1\\]>)\n * <https://www.synology.com/solution/business_email_solution[2]>\n * <https://www.synology.com/dsm/packages/MailStation>\n\n### Alpine Linux Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Arch Linux Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Aspera Inc. Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Debian GNU/Linux Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Fedora Project Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Geexbox Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Gentoo Linux Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Micro Focus Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Microsoft Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### SUSE Linux Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Slackware Linux Inc. Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Tizen Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Turbolinux Unknown\n\nNotified: September 06, 2019 Updated: September 06, 2019 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\nView all 20 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 7.8 | E:POC/RL:OF/RC:C \nEnvironmental | 5.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://www.exim.org/static/doc/security/CVE-2019-15846.txt>\n * <https://ftp.exim.org/pub/exim/exim4/>\n * <https://github.com/Exim/exim.git>\n * <https://usn.ubuntu.com/4124-1/>\n * <https://github.com/Exim/exim/tree/exim-4.92.2%2Bfixes/doc/doc-txt/cve-2019-15846>\n * <https://git.exim.org/exim.git/commit/2600301ba6dbac5c9d640c87007a07ee6dcea1f4>\n * <https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-are-currently-being-attacked/>\n * <https://www.bleepingcomputer.com/news/security/critical-exim-tls-flaw-lets-attackers-remotely-execute-commands-as-root/>\n\n### Acknowledgements\n\nThanks to Zerons for the initial report to Exim and to Qualys for providing additional analysis.\n\nThis document was written by Will Dormann, Laurie Tyzenhaus and Madison Oliver.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2019-15846](<http://web.nvd.nist.gov/vuln/detail/CVE-2019-15846>) \n---|--- \n**Date Public:** | 2019-09-06 \n**Date First Published:** | 2019-09-06 \n**Date Last Updated: ** | 2019-09-18 15:15 UTC \n**Document Revision: ** | 88 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-06T00:00:00", "type": "cert", "title": "Exim fails to properly handle trailing backslashes in string_interpret_escape()", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-18T15:15:00", "id": "VU:672565", "href": "https://www.kb.cert.org/vuls/id/672565", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nExim developers report:\n\nIf your Exim server accepts TLS connections, it is vulnerable. This does\n\t not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected.\nThe vulnerability is exploitable by sending a SNI ending in a\nbackslash-null sequence during the initial TLS handshake. The exploit\nexists as a POC. For more details see the document qualys.mbx\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-02T00:00:00", "type": "freebsd", "title": "Exim -- RCE with root privileges in TLS SNI handler", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-02T00:00:00", "id": "61DB9B88-D091-11E9-8D41-97657151F8C2", "href": "https://vuxml.freebsd.org/freebsd/61db9b88-d091-11e9-8d41-97657151f8c2.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2021-07-25T19:24:12", "description": "**Issue Overview:**\n\nExim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.(CVE-2019-15846)\n\n \n**Affected Packages:** \n\n\nexim\n\n \n**Issue Correction:** \nRun _yum update exim_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 exim-greylist-4.92-1.24.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-pgsql-4.92-1.24.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mon-4.92-1.24.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-4.92-1.24.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-debuginfo-4.92-1.24.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mysql-4.92-1.24.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 exim-4.92-1.24.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 exim-pgsql-4.92-1.24.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mysql-4.92-1.24.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mon-4.92-1.24.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-greylist-4.92-1.24.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-debuginfo-4.92-1.24.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-4.92-1.24.amzn1.x86_64 \n \n \n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-08T22:54:00", "type": "amazon", "title": "Critical: exim", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-09T20:58:00", "id": "ALAS-2019-1277", "href": "https://alas.aws.amazon.com/ALAS-2019-1277.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-25T19:24:00", "description": "**Issue Overview:**\n\nExim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.(CVE-2019-16928)\n\n \n**Affected Packages:** \n\n\nexim\n\n \n**Issue Correction:** \nRun _yum update exim_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 exim-pgsql-4.92-1.25.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-4.92-1.25.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-debuginfo-4.92-1.25.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-greylist-4.92-1.25.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mon-4.92-1.25.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mysql-4.92-1.25.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 exim-4.92-1.25.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 exim-debuginfo-4.92-1.25.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-greylist-4.92-1.25.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-4.92-1.25.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-pgsql-4.92-1.25.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mon-4.92-1.25.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mysql-4.92-1.25.amzn1.x86_64 \n \n \n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-18T23:22:00", "type": "amazon", "title": "Critical: exim", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846", "CVE-2019-16928"], "modified": "2019-10-24T21:31:00", "id": "ALAS-2019-1310", "href": "https://alas.aws.amazon.com/ALAS-2019-1310.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T21:06:22", "description": "Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-06T11:15:00", "type": "cve", "title": "CVE-2019-15846", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2019-15846", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15846", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-31T19:21:44", "description": "Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-27T21:15:00", "type": "cve", "title": "CVE-2019-16928", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846", "CVE-2019-16928"], "modified": "2022-03-31T17:50:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:19.04", "cpe:/o:fedoraproject:fedora:29", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:31", "cpe:/a:exim:exim:4.92.2", "cpe:/o:fedoraproject:fedora:30"], "id": "CVE-2019-16928", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16928", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.92.2:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2021-06-08T18:55:40", "description": "### Description\n\nExim is prone to an arbitrary code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with root privileges. Exim versions 4.8 through 4.92.1 are vulnerable.\n\n### Technologies Affected\n\n * Exim Exim 4.80 \n * Exim Exim 4.80.1 \n * Exim Exim 4.82 \n * Exim Exim 4.82.1 \n * Exim Exim 4.83 \n * Exim Exim 4.84.2 \n * Exim Exim 4.85 \n * Exim Exim 4.85.2 \n * Exim Exim 4.86 \n * Exim Exim 4.86.2 \n * Exim Exim 4.87 \n * Exim Exim 4.88 \n * Exim Exim 4.89 \n * Exim Exim 4.90 \n * Exim Exim 4.90.1 \n * Exim Exim 4.91 \n * Exim Exim 4.92 \n * Exim Exim 4.92.1 \n * Redhat Enterprise Linux 5 \n * Ubuntu Ubuntu Linux 16.04 LTS \n * Ubuntu Ubuntu Linux 18.04 LTS \n * Ubuntu Ubuntu Linux 19.04 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nPermit access to systems for trusted and accountable individuals only.\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected device at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploitation.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include explained incoming and outgoing traffic. This may indicate exploit attempts to activity that results from successful exploits.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2019-09-02T00:00:00", "type": "symantec", "title": "Exim CVE-2019-15846 Arbitrary Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-02T00:00:00", "id": "SMNTC-110023", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110023", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2022-01-21T05:00:13", "description": "Package : exim4\nVersion : 4.84.2-2+deb8u6\nCVE ID : CVE-2019-15846\n\n\n"Zerons" and Qualys discovered that a buffer overflow triggerable in the\nTLS negotiation code of the Exim mail transport agent could result in the\nexecution of arbitrary code with root privileges.\n\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n4.84.2-2+deb8u6.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-06T10:38:28", "type": "debian", "title": "[SECURITY] [DLA 1911-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-06T10:38:28", "id": "DEBIAN:DLA-1911-1:FFE7F", "href": "https://lists.debian.org/debian-lts-announce/2019/09/msg00004.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-26T13:13:51", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4517-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 06, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2019-15846\n\n"Zerons" and Qualys discovered that a buffer overflow triggerable in the\nTLS negotiation code of the Exim mail transport agent could result in the\nexecution of arbitrary code with root privileges.\n\nFor the oldstable distribution (stretch), this problem has been fixed\nin version 4.89-2+deb9u6.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 4.92-8+deb10u2.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/exim4\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-06T10:16:08", "type": "debian", "title": "[SECURITY] [DSA 4517-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-06T10:16:08", "id": "DEBIAN:DSA-4517-1:44A46", "href": "https://lists.debian.org/debian-security-announce/2019/msg00165.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-09-07T10:43:35", "description": "GMT 2019 9 November 6 December 18: 00 PM, the exim release exim-4.92.2 version fixes CVE-2019-15846, an attacker can use this vulnerability to remotely obtain root privileges. Vulnerabilities from qualys to find and report. \n360CERT determine the vulnerability to hazards and the impact is large. \n\n0x01 vulnerability details \nWhen exim support TLS, the attacker is sent to\u2019\\0\u2019end of SNI at this time string_unprinting function call string_interpret_escape function handles escape sequences, since the string_interpret_escape function does not handle\u2019\\0\u2019case, resulting in a cross-border read. qualys has confirmed that the vulnerability could be exploited remotely to obtain root privileges. \n! [](/Article/UploadPic/2019-9/20199713551298. png) \n\n0x02 impact version \nexim \n\n0x03 repair recommendations \nAlthough currently there is no public EXP, but qualys has been described by EXP preparation of several key steps, and ultimately the use of loopholes written into the/etc/passwd file, so that remote access to root privileges. The attacker may accordingly write EXP. 360CERT recommended that users immediately upgrade to 4. 92. 2 version. \n4.92.2 version download link: https://github.com/Exim/exim/releases/tag/exim-4.92.2 \nIf you cannot upgrade immediately, it is recommended by exim of acl_smtp_mail configure the following rules: \ndeny condition = ${if eq{\\\\\\\\}{${substr{-1}{1}{$tls_in_sni}}}} \ndeny condition = ${if eq{\\\\\\\\}{${substr{-1}{1}{$tls_in_peerdn}}}} \n\n0x04 timeline \n2019-09-06 exim release new versions to fix vulnerabilities \n2019-09-06 360CERT warning \n\n0x05 reference links \nhttps://github.com/Exim/exim \n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-07T00:00:00", "title": "CVE-2019-15846: the exim remote access to root privileges vulnerability alerts-a vulnerability alert-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-07T00:00:00", "id": "MYHACK58:62201995878", "href": "http://www.myhack58.com/Article/html/3/62/2019/95878.htm", "cvss": {"score": 0.0, "vector": "NONE"}}], "fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-08T03:00:08", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: exim-4.92.2-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-08T03:00:08", "id": "FEDORA:D71B8607E226", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FT3GY7V7SR2RHKNZNQCGXFWUSILVSZNU/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-08T03:09:34", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: exim-4.92.2-1.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-08T03:09:34", "id": "FEDORA:1D053608591B", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NDF37AUNETIOXY6ZLQAUBGBVUTMMV242/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-14T16:41:04", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: exim-4.92.2-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846"], "modified": "2019-09-14T16:41:04", "id": "FEDORA:3781D6090090", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SBNHDAF74RI6VK2JVSEIE3VYNL7JJDYM/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-02T02:01:42", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: exim-4.92.3-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846", "CVE-2019-16928"], "modified": "2019-10-02T02:01:42", "id": "FEDORA:BE3C260ED61A", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T3TJW4HPYH3O5HZCWGD6NSHTEBTTAPDC/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-09T17:24:02", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: exim-4.92.3-1.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846", "CVE-2019-16928"], "modified": "2019-10-09T17:24:02", "id": "FEDORA:BB20F604B252", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EED7HM3MFIBAP5OIMJAFJ35JAJABTVSC/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:47", "description": "[](<https://thehackernews.com/images/-LF0wUlVHTPE/XXJVEaDaYZI/AAAAAAAA1AE/CYVf9bikZKUqkBq_hHWqYkCYDsOTZcsSACLcBGAs/s728-e100/exim-email-server-vulnerability.jpg>)\n\nA critical remote code execution vulnerability has been discovered in the popular open-source Exim email server software, leaving at least over half a million email servers vulnerable to remote hackers. \n \nExim maintainers today released Exim version 4.92.2 after publishing an early warning two days ago, giving system administrators a [heads-up](<https://www.openwall.com/lists/oss-security/2019/09/04/1>) on its upcoming security patches that affect all versions of the email server software up to and including then-latest 4.92.1. \n \nExim is a widely used, open source mail transfer agent (MTA) software developed for Unix-like operating systems such as Linux, Mac OSX or Solaris, which runs almost 60% of the internet's email servers today for routing, delivering and receiving email messages. \n \nTracked as [CVE-2019-15846](<https://exim.org/static/doc/security/CVE-2019-15846.txt>), the security vulnerability only affects Exim servers that accept TLS connections, potentially allowing attackers to gain root-level access to the system \"by sending an SNI ending in a backslash-null sequence during the initial TLS handshake.\" \n \nSNI, stands for Server Name Indication, is an extension of the TLS protocol that allows the server to safely host multiple TLS certificates for multiple sites, all under a single IP address. \n \nAccording to the Exim team, since the vulnerability doesn't depend on the TLS library being used by the server, both GnuTLS and OpenSSL are affected. \n \nMoreover, though the default configuration of the Exim mail server software doesn't come with TLS enabled, some operating systems bundled the Exim software with the vulnerable feature enabled by default. \n \nThe vulnerability was discovered by an open source contributor and security researcher who goes by the online alias Zerons and analyzed by cybersecurity experts at Qualys. \n \nJust three months ago, Exim also patched a severe remote command execution vulnerability, tracked as CVE-2019-10149, that was actively exploited in the wild by various groups of hackers to compromise vulnerable servers. \n \nThe Exim advisory says that a rudimentary proof of concept (PoC) exists for this flaw, but currently there is no known exploit available to the public. \n \nServer administrators are highly recommended to install the latest Exim 4.92.2 version immediately, and if not possible, can mitigate the issue by not allowing unpatched Exim servers to accept TLS connections. \n \nThe team says, \"If you can't install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources we will support you in backporting the fix.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-06T12:48:00", "type": "thn", "title": "Exim TLS Flaw Opens Email Servers to Remote 'Root' Code Execution Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149", "CVE-2019-15846"], "modified": "2019-09-06T12:48:28", "id": "THN:FF07DE65AF5F03EDE8E6AF8F1D180CA1", "href": "https://thehackernews.com/2019/09/exim-email-server-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:44", "description": "[](<https://thehackernews.com/images/-XQUxaOT1qPw/XZHxg5L3xhI/AAAAAAAA1RM/kXL-g2O_A307L_tz4BtC_HMeeMoLnYl-QCLcBGAsYHQ/s728-e100/exim-email-server-security.jpg>)\n\nA critical security vulnerability has been discovered and fixed in the popular open-source **Exim **email server software, which could allow a remote attacker to simply crash or potentially execute malicious code on targeted servers. \n \nExim maintainers today [released](<https://www.exim.org/static/doc/security/CVE-2019-16928.txt>) an urgent security update\u2014**Exim version 4.92.3**\u2014after publishing an early warning two days ago, giving system administrators an early head-up on its upcoming security patches that affect all versions of the email server software from 4.92 up to and including then-latest version 4.92.2. \n \nExim is a widely used, open source mail transfer agent (MTA) developed for Unix-like operating systems like Linux, Mac OSX or Solaris, which runs almost 60 percent of the Internet's email servers today for routing, delivering and receiving email messages. \n \nThis is the second time in this month when the Exim maintainers have released an urgent security update. Earlier this month, the team patched a critical remote code execution flaw ([CVE-2019-15846](<https://thehackernews.com/2019/09/exim-email-server-vulnerability.html>)) in the software that could have allowed remote attackers to gain root-level access to the system. \n \nIdentified as [CVE-2019-16928](<https://bugs.exim.org/show_bug.cgi?id=2449>) and discovered by Jeremy Harris of Exim Development Team, the vulnerability is a heap-based buffer overflow (memory corruption) issue in string_vformat defined in string.c file of the EHLO Command Handler component. \n \n\n\n[](<https://thehackernews.com/images/-njg27P0fbKk/XZIgMvMWGvI/AAAAAAAA1Rs/w-qj2SUDS4gW6Z17zKTxdnfdDNMTxhZ0ACLcBGAsYHQ/s728-e100/exim-hacking.jpg>)\n\n \nThe security flaw could allow remote attackers to cause a denial of service (DoS) condition or execute arbitrary code on a targeted Exim mail server using a specially crafted line in the EHLO command with the rights of the targeted user. \n \nAccording to the Exim advisory, a currently [known PoC exploit](<https://git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f>) for this vulnerability allows one to only crash the Exim process by sending a long string in the EHLO command, though other commands could also be used to potentially execute arbitrary code. \n \n\n\n> \"The currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message,\" says the Exim developers' team.\n\n \n\n\n> \"While at this mode of operation, Exim already dropped its privileges, other paths to reach the vulnerable code may exist.\"\n\n \nIn mid-year, Exim also patched a severe remote command execution vulnerability (CVE-2019-10149) in its email software that was [actively exploited in the wild](<https://thehackernews.com/2019/07/linux-malware-windows-bluekeep.html>) by various groups of hackers to compromise vulnerable servers. \n \nTherefore, server administrators are highly recommended to install the latest Exim 4.92.3 version as soon as possible, since there is no known mitigation to temporarily resolve this issue. \n \nThe team also says, \"if you can't install the above versions, ask your package maintainer for a version containing the backported fix. On request and depending on our resources, we will support you in backporting the fix.\" \n \nThe security update is available for Linux distributions, including [Ubuntu](<https://usn.ubuntu.com/4141-1/>), [Arch Linux](<https://www.archlinux.org/packages/?q=exim>), [FreeBSD](<https://www.vuxml.org/freebsd/e917caba-e291-11e9-89f1-152fed202bb7.html>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2019-16928>), and [Fedora](<https://bodhi.fedoraproject.org/updates/?search=exim>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-30T12:14:00", "type": "thn", "title": "New Critical Exim Flaw Exposes Email Servers to Remote Attacks \u2014 Patch Released", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149", "CVE-2019-15846", "CVE-2019-16928"], "modified": "2019-09-30T15:33:26", "id": "THN:A947D0153E6D676ABBCCAB69CD1E73DB", "href": "https://thehackernews.com/2019/09/exim-email-security-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T19:03:02", "description": "### Background\n\nExim is a message transfer agent (MTA) designed to be a a highly configurable, drop-in replacement for sendmail. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker, by connecting to the SMTP listener daemon, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Exim users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/exim-4.92.2\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-07T00:00:00", "type": "gentoo", "title": "Exim: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13917", "CVE-2019-15846"], "modified": "2019-09-07T00:00:00", "id": "GLSA-201909-06", "href": "https://security.gentoo.org/glsa/201909-06", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2021-12-10T14:32:35", "description": "# Exim CVE Data Collection\n\nData Collection Related to Exim Vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-03T02:27:01", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846", "CVE-2019-10149", "CVE-2019-16928"], "modified": "2020-10-20T13:48:44", "id": "E1FEC345-BB7E-5FFE-AD78-64A1B9E93172", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}]}
Exploit for Vulnerability in Exim
