From: Heiko Schlittermann (HS12-RIPE) Date: Sun, 1 Oct 2023 17:08:45 +0000 (+0200) Subject: add document about CVE-2023-* assigned by ZDI X-Git-Url: https://git.exim.org/exim-website.git/commitdiff_plain/a4f9684a3a1f32d07d318c525fc9f0c712063422?ds=sidebyside add document about CVE-2023-* assigned by ZDI --- diff --git a/templates/static/doc/security/CVE-2023-zdi.txt b/templates/static/doc/security/CVE-2023-zdi.txt new file mode 100644 index 0000000..a9dc538 --- /dev/null +++ b/templates/static/doc/security/CVE-2023-zdi.txt @@ -0,0 +1,83 @@ +Summary +------- +Six 0day exploits were filed against Exim. + +None of these issues is related to transport security (TLS) being +on or off. + +* 3 of them are related to SPA/NTLM, and EXTERNAL auth. If you do not + use SPA/NTLM, or EXTERNAL authentication, you're not affected. These + issues are fixed. + +* One issue is related to data received from a proxy-protocol proxy. If + you do not use a proxy in front of Exim, you're not affected. If your + proxy is trustworthy, you're not affected. We're working on a fix. + +* One is related to libspf2. If you do not use the `spf` lookup type or + the `spf` ACL condition, you are not affected. + +* The last one is related to DNS lookups. If you use a trustworthy + resolver (which does validation of the data it receives), you're not + affected. We're working on a fix. + +Schedule +-------- +Currently we're in contact with the major distros and aim to release +those fixes that are available as soon as possible. (Aiming Monday, Oct +2nd.) + + +More Details +------------ + +ZDI-23-1468 | ZDI-CAN-17433 | CVE-2023-42114 | Exim bug 3001 +------------------------------------------------------------ +Subject: NTLM Challenge Out-Of-Bounds Read +CVSS Score: 3.7 +Mitigation: Do not use SPA (NTLM) authentication +Subsystem: SPA auth +Fixed: 04107e98d, 4.96.1, 4.97 + +ZDI-23-1469 | ZDI-CAN-17434 | CVE-2023-42115 | Exim bug 2999 +------------------------------------------------------------ +Subject: AUTH Out-Of-Bounds Write +CVSS Score: 9.8 +Mitigation: Do not offer EXTERNAL authentication. +Subsystem: EXTERNAL auth +Fixed: 7bb5bc2c6, 4.96.1, 4.97 + +ZDI-23-1470 | ZDI-CAN-17515 | CVE-2023-42116 | Exim bug 3000 +------------------------------------------------------------ +Subject: SMTP Challenge Stack-based Buffer Overflow +CVSS Score: 8.1 +Mitigation: Do not use SPA (NTLM) authentication +Subsystem: SPA auth +Fixed: e17b8b0f1, 4.96.1, 4.97 + +ZDI-23-1471 | ZDI-CAN-17554 | CVE-2023-42117 | Exim Bug 3031 +------------------------------------------------------------- +Subject: Improper Neutralization of Special Elements +CVSS Score: 8.1 +Mitigation: Do not use Exim behind an untrusted proxy-protocol proxy +Subsystem: proxy protocol (not socks!) +Fix: not yet + +ZDI-23-1472 | ZDI-CAN-17578 | CVE-2023-42118 | Exim Bug 3032 +------------------------------------------------------------ +Subject: libspf2 Integer Underflow +CVSS Score: 7.5 +Mitigation: Do not use the `spf` condition in your ACL +Subsystem: spf +Remark: It is debatable if this should be filed against + libspf2. + +ZDI-23-1473 | ZDI-CAN-17643 | CVE-2023-42219 | Exim Bug 3033 +------------------------------------------------------------ +Subject: dnsdb Out-Of-Bounds Read +CVSS Score: 3.1 +Mitigation: Use a trustworthy DNS resolver which is able to + validate the data according to the DNS record types. +Subsystem: dns lookups +Fix: not yet +Remark: It is still under consideration. +