Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely expl…

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: exim-users
Subject: Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable via exim
Viktor Dukhovni <exim-users@???> wrote:
>
> FWIW, Postfix never uses gethostbyname() on systems that have
> getaddrinfo() (build configuration enables IPv6 API support).


Exim's DNS code has a rather long history :-)

> On systems with no IPv6 API Postfix only calls gethostbyname()
> after first dealing with literal address forms via inet_pton().
> In other words, literal IPv4 addresses accepted by inet_pton(),
> are never passed to gethostbyname().


Exim mostly takes a similar approach.

The specific weakness used by the Qualys exploit is that Exim will pass an
attacker-controlled string - the HELO hostname - to gethostbyname.

You can avoid this exploit by making sure your configuration leaves the
following unset in the main part of the configuration

    helo_verify_hosts
    helo_try_verify_hosts


and by not using the following in any ACLs

    verify = helo


Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}