Scroll Top

Critical Exim Security Vulnerability

A remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice). A tentative patch exists but has not yet been confirmed. Exim is a widely used mail transfer agent used on Unix-like operating systems.

With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set:

chunking_advertise_hosts =

 

That’s an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic.

This should be a complete workaround. Impact of applying the workaround is that mail senders have to stick to the traditional DATA verb instead of using BDAT.

We’ve requested CVEs. More news will be forthcoming as we get this worked out.

A quick check can be performed to see if you are vulnerable:
exim -bP | grep chunking_advertise_hosts

If the value is empty you are safe. If you’d like to remove the value enter the following:
sed -i 's/chunking_advertise_hosts.*/chunking_advertise_hosts =/g' /etc/exim.conf

For servers running cPanel:

# perl -pi.bak -e "s/^chunking_advertise_hosts =.*/chunking_advertise_hosts = /g" /usr/local/cpanel/etc/exim/config_options # /scripts/buildeximconf # /scripts/restartsrv_exim

 

This will remove the configured hosts that the chunking_advertise_hosts option currently has and set it to an empty host list. It will also back up the current /usr/local/cpanel/etc/exim/config_options as /usr/local/cpanel/etc/exim/config_options.bak.

It is recommended that you take immediate action.

EDIT: servers running DirectAdmin are NOT affected. The chunking_advertise_hosts directive can be found in the exim.variables.conf file and has an empty value by default.

 

More Information:
https://lists.gt.net/exim/announce/108962

Ongoing Discussion via WHT:
http://www.webhostingtalk.com/showthread.php?t=1684234

Related Posts

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.