Re: [exim] [oss-security] Sv: CVE-2019-15846: Exim - local o…

Top Page

Reply to this message
Author: Phil Pennock
To: exim-users, oss-security
Subject: Re: [exim] [oss-security] Sv: CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges
On 2019-09-07 at 08:23 +0200, Heiko Schlittermann wrote:
> Phil Pennock <pdp@???> (Sa 07 Sep 2019 02:52:56 CEST):
> > The connect ACL won't protect you against STARTTLS usage, which is far
> > more common for email than TLS-on-connect.
> >
> > I myself use the HELO ACL.
> This doesn't seem to be sufficient, you can start "submitting" a message to
> a remote Exim with the following sequence

Yeah sorry folks, that was a little embarrassing: my setup, and various
common configurations (including apparently RedHat's) enforce
EHLO-after-STARTTLS. But that's Exim configuration, not hard-enforced
in the code.

"Be lenient in what you accept" ... bah humbug.

Exim's default configuration has included this check, at RCPT time
(which still works for our purposes) since commit 731c6a9043 in 2016,
included in releases 4.87 onwards.

So I use the HELO ACL and it's safe in "many" configurations, but we
have to be more cautious in recommending mitigating workarounds.