Re: [exim-dev] CVE-2021-38371 (allows response injection dur…

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: exim-dev
CC: Harry Mills
Subject: Re: [exim-dev] CVE-2021-38371 (allows response injection during MTA SMTP sending)

I guess we should also try to turn the appropriate fake-mail-server
scripts into exim test scripts.

I'd like to see which test shows the vulnerability and your results.

Jeremy, Heiko, is it OK to be discussing this here ?

On Wed, 5 Jan 2022, Harry Mills via Exim-dev wrote:

> Hi Andrew,
>
> You are correct. I have setup a test network with the fake-mail-server
> running in a VM and I am liaising with the SecVuln guys at the moment to see
> if I can reproduce the test they say shows the vulnerability when Exim is
> sending email.
>
> Best wishes,
>
> Harry
>
> On 04/01/2022 19:33, Andrew C Aitchison wrote:
>> On Tue, 4 Jan 2022, Harry Mills via Exim-dev wrote:
>>
>>> Hi Jeremy,
>>>
>>> Thanks for the swift reply. Here is the (anonymised) output of the test
>>> tool for reference. It looks like exim 4.94.2 (Centos 8) is not
>>> vulnerable:
>>>
>>> python3 ./command-injection-tester --smtp <MAILSERVER>
>>
>> As I understand https://nostarttls.secvuln.info/
>> command-injection-tester only tests for bugs when exim is receiving email;
>> to test for the *response* injection bugs in CVE-2021-38371, when exim is
>> sending email, you need to use
>>    https://github.com/Email-Analysis-Toolkit/fake-mail-server
>> which looks more involved to me.
>>
> -- 
> Harry Mills                                         Tel: 01749 812100
> Managing Director                                   Mob: 07815 848818
> Opendium Ltd.                                       www.opendium.com

>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
> details at http://www.exim.org/ ##
>


-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???