-
Notifications
You must be signed in to change notification settings - Fork 179
EximSecurity
Phil Pennock edited this page Jan 29, 2015
·
23 revisions
Much consideration of Exim's security is given in Chapter 54 - Security considerations of The Exim Specification. This includes suggested hardening steps.
Note that a "remote code execution as Exim run-time user" vulnerability can be combined with a privilege escalation attack to become even more serious.
- CVE-2015-0235 is a glibc bug, affecting multiple applications on platforms which use glibc for their system C library; this was a problem with
gethostbyname()functions. The security advisory referenced Exim as an exploit vector for remote access. The fix is to update glibc; workarounds include disabling configuration directives which enable the HELO checking which exposes the vulnerability. See https://lists.exim.org/lurker/message/20150127.200135.056f32f2.en.html for our advisory on this. - CVE-2014-2972 fixed in 4.83: mathematical comparison functions were expanding args twice. Impact: local code execution if specific mathematical comparison functions were performing data lookups from user controlled data.
- CVE-2014-2957 fixed in 4.82.1, introduced in 4.82: used untrusted data when parsing the From header in Experimental DMARC code and allowed macro expansion. Details post
- CVE-2012-5671 fixed in 4.80.1, introduced in 4.70: buffer overflow vulnerability in DKIM DNS response processing. Impact: remote code execution as Exim run-time user. Details post
- CVE-2011-1764 fixed in 4.76, introduced in 4.70: format string attack in DKIM processing. Impact: remote code execution as Exim run-time user. Bugzilla 1106.
- CVE-2011-1407 fixed in 4.76, introduced in 4.70: flaw in handling DKIM DNS records. Impact: remote code execution as Exim run-time user
- CVE-2011-0017 fixed in 4.73: return values of setuid()/setgid() not checked; only an issue on Linux. Impact: privilege escalation from Exim run-time user to root
- CVE-2010-4345 fixed in 4.73: Exim privilege escalation from Exim run-time user to root via configuration overrides
- CVE-2010-2023 fixed in 4.72: Hardlink attack via sticky mbox directory. Impact: overwrite files of target user on same partition as mbox directory. Bugzilla 988.
- CVE-2010-2024 fixed in 4.72: Symlink attack in /tmp for MBX locking algorithm. Bugzilla 989.
- CVE-2010-4344 fixed in 4.70: buffer overflow in string_format(). Impact: remote code execution as Exim run-time user. Bugzilla 787.