Shouldn't this be in connect ACL?
How would the deny in MAIL FROM prevent the exploit? What I have understand is that there is exploit in the SNI of the TLS negotiation, thus the whole connect attempt must be rejected right?
-----Ursprungligt meddelande-----
Från: Exim-users <exim-users-bounces+sebastian=sebbe.eu@???> För Heiko Schlittermann via Exim-users
Skickat: den 6 september 2019 13:22
Till: oss-security <oss-security@???>; Exim Users <exim-users@???>
Ämne: Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges
An Update to the mitigation for the current CVE:
Add - as part of the mail ACL (the ACL referenced by the main config
option "acl_smtp_mail"):
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
This should prevent the currently known attack vector.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
