I guess we should also try to turn the appropriate fake-mail-server
scripts into exim test scripts.
I'd like to see which test shows the vulnerability and your results.
Jeremy, Heiko, is it OK to be discussing this here ?
On Wed, 5 Jan 2022, Harry Mills via Exim-dev wrote:
Hi Andrew,
You are correct. I have setup a test network with the fake-mail-server
running in a VM and I am liaising with the SecVuln guys at the moment to see
if I can reproduce the test they say shows the vulnerability when Exim is
sending email.
Best wishes,
Harry
On 04/01/2022 19:33, Andrew C Aitchison wrote:
On Tue, 4 Jan 2022, Harry Mills via Exim-dev wrote:
Hi Jeremy,
Thanks for the swift reply. Here is the (anonymised) output of the test
tool for reference. It looks like exim 4.94.2 (Centos 8) is not
vulnerable:
python3 ./command-injection-tester --smtp <MAILSERVER>
As I understand https://nostarttls.secvuln.info/
command-injection-tester only tests for bugs when exim is receiving email;
to test for the *response* injection bugs in CVE-2021-38371, when exim is
sending email, you need to use
https://github.com/Email-Analysis-Toolkit/fake-mail-server
which looks more involved to me.
--
Harry Mills Tel: 01749 812100
Managing Director Mob: 07815 848818
Opendium Ltd. www.opendium.com
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
