[exim] Re: Mitigation statement for CVE-2023-42119

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Slavko
Date:  
À: Andreas Metzler, Andreas Metzler via Exim-users, exim-users
Sujet: [exim] Re: Mitigation statement for CVE-2023-42119
Dňa 6. októbra 2023 16:24:27 UTC používateľ Andreas Metzler via Exim-users <exim-users@???> napísal:
>On 2023-10-06 Slavko via Exim-users <exim-users@???> wrote:
>[...]
>> hmm, i still cannot get how "network adjacent" is related to root
>> privileges. But my head never was good for attacks...
>
>Hello,
>Afaiui the attack will require special DNS packets that would not be
>sent out by a real recursive resolver. i.e. the attacker needs to change
>these packets directly by being in between the resolver and the machine
>hosting exim.


Thanks, just to confirm (or summarize):

+ if resolver is in public net (eg. 1.1.1.1) the attacker can be relative anyone
+ if resolver is in LAN (remote host) attacker have to be somewhere inside LAN
+ if resolver is on the same host, attacker have to be root

As addition, the resolver must validate received RR (which is not the
case eg. of dnsmasq). If it doesn't do that, attacker can exploit it by
sending crafted response from its (real) DNS server and again can be
relative anyone.

Right?

(by "relative anyone" i mean mostly, that he must know how)

IMO, if attacker already has root access, he can do many more than
intercept DNS response. Or more precise, it doesn't need to do that,
as he usually can do (near) anything on that host...

BTW, when we cannot be sure, which resolvers are trusted, we have
to start to list the resolvers, which are know as not trusted (in mean
of this issue).

>Until now the discussion there sadly only explains why 3 out of 6
>possible issues are still unresolved or not really understood. The
>person (?) sending mails from ZDI does not answer any questions but
>sends out unrelated canned responses. :-(


Yes, i read that. It is really suspicious, as it seems as they cannot
provide exploit. And if that is true, we have repeat that anywhere,
until they revert particular 0day issue(s).

I asked that summary, just to we (exim users) will be informed
about progress, as not all are subscribed to both. IMO, that
thread should be CC here...

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/