On Wed, 15 Mar 2023, Andreas Metzler wrote:
> On 2022-08-24 17:49, Andrew C Aitchison wrote:
> [...]
>> www.exim.org/static/doc/security/CVE-2021-38371.txt
>> is advertised on a couple of CVE sites but does not exist.
>> Like CVE-2022-37452, CVE-2021-38371 was fixed in 4.95 (the fix in git
>> actually predates the NO STARTTLS announcement).
>
>> I wrote up some text for it but Jeremy didn't like the tone of it
>> - my page sounded as if we agreed that the bug was a security issue.
>> He clearly did not believe that CVE-2021-38371 is an insecurity;
>> I agree that there is no evidence that it is one, but lack of evidence is
>> not evidence of lack, and the fix has been applied.
>
>> Like you, I think that we should respond to each CVE, whether they
>> are security issues or not, but Jeremy gave me the impression that
>> he does not.
>
>> If you are happy to stick to your guns on this one, I will rewrite
>> mine and report it in the bugzilla, which is what Jeremy suggested.
>
>> Since Jeremy does most of the work on exim I am not keen
>> to make a fuss.
>
> Hello Andrew
>
> the CVE status is still marked as "applies to 4.94.2, might be fixed in
> later versions" in all security trackers. Could you point to the fixing
> GIT commit?
Took a bit of tracking down but here it is:
commit 1b9ab35f323121aabf029f0496c7227818efad14
https://lists.exim.org/lurker/message/20200802.111710.a42f3573.de.html
I have attached the text I wrote for
https://www.exim.org/static/doc/security/CVE-2021-38371.txt
This has the wrong date: when Jeremy wrote the patch, rather than when
it hit the exim git (Aug 2 11:10:35 2020 +0100).
Can you can see a way not to say that this is a security issue ?
--
Andrew C. Aitchison Kendal, UK
andrew@???CVE ID: CVE-2021-38371
Date: 2021-08-10
Version(s): up to and including 4.94.2
Reporter: Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel
Reference: https://nostarttls.secvuln.info/
Issue: Possible MitM attack on STARTTLS when exim is *sending* email.
Conditions to be vulnerable
===========================
Versions up to (and including) 4.94.2 are vulnerable when
*sending* emails via a connection encrypted via STARTTLS.
Details
=======
When exim acting as a mail client wishes to send a message,
a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
by also sending a response to the *next* command, which exim will
erroneously treat as a trusted response.
Source fixed by
https://git.exim.org/exim.git/commit/1b9ab35f323121aabf029f0496c7227818efad14
commit 1b9ab35f323121aabf029f0496c7227818efad14
Author: Jeremy Harris
Date: Thu Jul 30 20:16:01 2020 +0100
Mitigation
==========
There is - beside updating the server - no known mitigation.
Fix
===
Download and build the fixed version 4.95 or a later version
(4.96 was released in June 2022).
