Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)

Pàgina inicial
Delete this message
Reply to this message
Autor: Andrew C Aitchison
Data:  
A: Andreas Metzler
CC: Exim-users
Assumpte: Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
On Wed, 15 Mar 2023, Andreas Metzler wrote:

> On 2022-08-24 17:49, Andrew C Aitchison wrote:
> [...]
>> www.exim.org/static/doc/security/CVE-2021-38371.txt
>> is advertised on a couple of CVE sites but does not exist.
>> Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git
>> actually predates the NO STARTTLS announcement).
>
>> I wrote up some text for it but Jeremy didn't like the tone of it
>> - my page sounded as if we agreed that the bug was a security issue.
>> He clearly did not believe that CVE-2021-38371 is an insecurity;
>> I agree that there is no evidence that it is one, but lack of evidence is
>> not evidence of lack, and the fix has been applied.
>
>> Like you, I think that we should respond to each CVE, whether they
>> are security issues or not, but Jeremy gave me the impression that
>> he does not.
>
>> If you are happy to stick to your guns on this one, I will rewrite
>> mine and report it in the bugzilla, which is what Jeremy suggested.
>
>> Since Jeremy does most of the work on exim I am not keen
>> to make a fuss.
>
> Hello Andrew
>
> the CVE status is still marked as "applies to 4.94.2, might be fixed in
> later versions" in all security trackers. Could you point to the fixing
> GIT commit?


Took a bit of tracking down but here it is:

commit 1b9ab35f323121aabf029f0496c7227818efad14

https://lists.exim.org/lurker/message/20200802.111710.a42f3573.de.html

I have attached the text I wrote for
https://www.exim.org/static/doc/security/CVE-2021-38371.txt
This has the wrong date: when Jeremy wrote the patch, rather than when
it hit the exim git (Aug 2 11:10:35 2020 +0100).

Can you can see a way not to say that this is a security issue ?

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???
CVE ID: CVE-2021-38371
Date:       2021-08-10
Version(s): up to and including 4.94.2
Reporter:   Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel
Reference:  https://nostarttls.secvuln.info/
Issue:      Possible MitM attack on STARTTLS when exim is *sending* email.
            

Conditions to be vulnerable
===========================

Versions up to (and including) 4.94.2 are vulnerable when
*sending* emails via a connection encrypted via STARTTLS.
 

Details
=======

When exim acting as a mail client wishes to send a message,
a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
by also sending a response to the *next* command, which exim will
erroneously treat as a trusted response.

Source fixed by
https://git.exim.org/exim.git/commit/1b9ab35f323121aabf029f0496c7227818efad14
commit 1b9ab35f323121aabf029f0496c7227818efad14
Author: Jeremy Harris
Date:   Thu Jul 30 20:16:01 2020 +0100

Mitigation
==========

There is - beside updating the server - no known mitigation.

Fix
===

Download and build the fixed version 4.95 or a later version
(4.96 was released in June 2022).