Re: [Exim] OT - CERT Advisory - Buffer Overflow in Sendmail

>Subject: Re: [Exim] OT - CERT Advisory - Buffer Overflow in Sendmail
>From: "Kevin W. Reed" <listaccount@???>
>To: exim-users@???
>Cc: Dennis Davis <D.H.Davis@???>
>Date: Thu, 18 Sep 2003 09:42:58 -0700 (MST)

...

>> exim *doesn't* do content scanning. After all it's an MTA.
>> exim will just pass any such message onto a vulnerable sendmail
>> server.
>
>Exim with exiscan-acl *does* do content scanning... We already use
>it for a lot of virus and bad stuff checking... thus the reason for
>my asking.

Agreed. We're using it for this as well. However the Advisory also
includes the sentence:

Sendmail contains a vulnerability in its address parsing code. An
error in the prescan() function could allow an attacker to write
past the end of a buffer, corrupting memory structures.

so it looks like there's a problem with the parsing of addresses
in the message headers, not the envelope. This requires rather
specialised content scanning unless the addresses are easy to pick
out.

Using:

require verify = header_sender

require verfify = header_syntax

in your acl_smtp_data may give you some protection, but I wouldn't
count on it.

>The envirnoment I am dealing with in this case has all outside
>MTA's now using Exim. But ugrading 300 internal unix servers is
>not going to happen overnight and in some cases never (very old,
>Sequent NumaQ).

I've got a lot less than that here. So I've just told the relevant
postmaster. Now it's their problem.