Hi Jeremy,
Thanks for the swift reply. Here is the (anonymised) output of the test
tool for reference. It looks like exim 4.94.2 (Centos 8) is not vulnerable:
python3 ./command-injection-tester --smtp <MAILSERVER>
SMTP: 2022-01-04 14:29:45 - INFO - Testing SMTP server at <MAILSERVER>:587
SMTP: 2022-01-04 14:29:45 - DEBUG - Logdir: ./logs, Comment:
commandinjectiontester, Timeout: 2
SMTP: 2022-01-04 14:29:45 - INFO - Sanity test...
SMTP: 2022-01-04 14:29:47 - TRACE - S: 220 <MAILSERVER> ESMTP Exim
4.94.2 Tue, 04 Jan 2022 14:29:45 +0000
SMTP: 2022-01-04 14:29:47 - TRACE - C: EHLO commandinjectiontester
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-<MAILSERVER> Hello
<MAILSERVER> [<MAILSERVER IP>]
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-SIZE 52428800
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-8BITMIME
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-PIPELINING
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-PIPE_CONNECT
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-CHUNKING
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250-STARTTLS
SMTP: 2022-01-04 14:29:49 - TRACE - S: 250 HELP
SMTP: 2022-01-04 14:29:49 - TRACE - C: NOOP
SMTP: 2022-01-04 14:29:51 - TRACE - S: 250 OK
SMTP: 2022-01-04 14:29:51 - TRACE - C: STARTTLS
SMTP: 2022-01-04 14:29:53 - TRACE - S: 220 TLS go ahead
SMTP: 2022-01-04 14:29:53 - DEBUG - <----- TLS Handshake ----->
SMTP: 2022-01-04 14:29:53 - TRACE - C: QUIT
SMTP: 2022-01-04 14:29:53 - TRACE - S: 221 <MAILSERVER> closing connection
SMTP: 2022-01-04 14:29:53 - INFO - Sanity test done
SMTP: 2022-01-04 14:29:53 - INFO - Testing for command injection...
SMTP: 2022-01-04 14:29:55 - TRACE - S: 220 <MAILSERVER> ESMTP Exim
4.94.2 Tue, 04 Jan 2022 14:29:53 +0000
SMTP: 2022-01-04 14:29:55 - TRACE - C: EHLO commandinjectiontester
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-<MAILSERVER> Hello
<MAILSERVER> [<MAILSERVER IP>]
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-SIZE 52428800
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-8BITMIME
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-PIPELINING
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-PIPE_CONNECT
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-CHUNKING
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250-STARTTLS
SMTP: 2022-01-04 14:29:57 - TRACE - S: 250 HELP
SMTP: 2022-01-04 14:29:57 - TRACE - C: STARTTLS
SMTP: 2022-01-04 14:29:57 - TRACE - C: EHLO commandinjectiontester
SMTP: 2022-01-04 14:29:59 - TRACE - S: 220 TLS go ahead
SMTP: 2022-01-04 14:29:59 - DEBUG - <----- TLS Handshake ----->
SMTP: 2022-01-04 14:30:01 - DEBUG - No response in encrypted context,
trying real command now ...
SMTP: 2022-01-04 14:30:01 - TRACE - C: FAKE commandinjectiontester
SMTP: 2022-01-04 14:30:03 - TRACE - S: 500 unrecognized command
SMTP: 2022-01-04 14:30:03 - INFO - Probably no command injection here!
Best wishes,
Harry
On 04/01/2022 14:00, Jeremy Harris via Exim-dev wrote:
> On 04/01/2022 11:11, Harry Mills via Exim-dev wrote:
>> We have a PCI DSS compliance failure for CVE-2021-38371, the details
>> page (linked from mitre.org site) gives a 404 and we cannot find any
>> other details on what this CVE refers to, or whether or not a fix is
>> available.
>>
>> We are running exim 4.94.2-2 from EPEL on Centos8.
>>
>> Any information would be very welcome.
>
> https://nostarttls.secvuln.info/ claims Exim is vulnerable, and that this
> was reported to us. However, I'm not aware of any such report nor
> evidence.
>
> You could try the test tool linked from that page.
--
Harry Mills Tel: 01749 812100
Managing Director Mob: 07815 848818
Opendium Ltd. www.opendium.com
