http://bugzilla.opensuse.org/show_bug.cgi?id=1185631 Bug ID: 1185631 Summary: VUL-0: exim: 21Nails - Multiple vulnerabilities in Exim Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: rfrohl@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- oss-security: Qualys Security Advisory 21Nails: Multiple vulnerabilities in Exim ======================================================================== Contents ======================================================================== Summary Local vulnerabilities - CVE-2020-28007: Link attack in Exim's log directory - CVE-2020-28008: Assorted attacks in Exim's spool directory - CVE-2020-28014: Arbitrary file creation and clobbering - CVE-2021-27216: Arbitrary file deletion - CVE-2020-28011: Heap buffer overflow in queue_run() - CVE-2020-28010: Heap out-of-bounds write in main() - CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() - CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase() - CVE-2020-28015: New-line injection into spool header file (local) - CVE-2020-28012: Missing close-on-exec flag for privileged pipe - CVE-2020-28009: Integer overflow in get_stdinput() Remote vulnerabilities - CVE-2020-28017: Integer overflow in receive_add_recipient() - CVE-2020-28020: Integer overflow in receive_msg() - CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() - CVE-2020-28021: New-line injection into spool header file (remote) - CVE-2020-28022: Heap out-of-bounds read and write in extract_option() - CVE-2020-28026: Line truncation and injection in spool_read_header() - CVE-2020-28019: Failure to reset function pointer after BDAT error - CVE-2020-28024: Heap buffer underflow in smtp_ungetc() - CVE-2020-28018: Use-after-free in tls-openssl.c - CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() Acknowledgments Timeline ======================================================================== Summary ======================================================================== We recently audited central parts of the Exim mail server (https://en.wikipedia.org/wiki/Exim) and discovered 21 vulnerabilities (from CVE-2020-28007 to CVE-2020-28026, plus CVE-2021-27216): 11 local vulnerabilities, and 10 remote vulnerabilities. Unless otherwise noted, all versions of Exim are affected since at least the beginning of its Git history, in 2004. We have not tried to exploit all of these vulnerabilities, but we successfully exploited 4 LPEs (Local Privilege Escalations) and 3 RCEs (Remote Code Executions): - CVE-2020-28007 (LPE, from user "exim" to root); - CVE-2020-28008 (LPE, from user "exim" to root); - CVE-2020-28015 (LPE, from any user to root); - CVE-2020-28012 (LPE, from any user to root, if allow_filter is true); - CVE-2020-28020 (unauthenticated RCE as "exim", in Exim < 4.92); - CVE-2020-28018 (unauthenticated RCE as "exim", in 4.90 <= Exim < 4.94, if TLS encryption is provided by OpenSSL); - CVE-2020-28021 (authenticated RCE, as root); - CVE-2020-28017 is also exploitable (unauthenticated RCE as "exim"), but requires more than 25GB of memory in the default configuration. We will not publish our exploits for now; instead, we encourage other security researchers to write and publish their own exploits: - This advisory contains sufficient information to develop reliable exploits for these vulnerabilities; in fact, we believe that better exploitation methods exist. - We hope that more security researchers will look into Exim's code and report their findings; indeed, we discovered several of these vulnerabilities while working on our exploits. - We will answer (to the best of our abilities) any questions regarding these vulnerabilities and exploits on the public "oss-security" list (https://oss-security.openwall.org/wiki/mailing-lists/oss-security). Last-minute note: as explained in the Timeline, we developed a minimal set of patches for these vulnerabilities; for reference and comparison, it is attached to this advisory and is also available at https://www.qualys.com/research/security-advisories/. https://seclists.org/oss-sec/2021/q2/93 -- You are receiving this mail because: You are on the CC list for the bug.