Shouldn't this be in connect ACL? How would the deny in MAIL FROM prevent the exploit? What I have understand is that there is exploit in the SNI of the TLS negotiation, thus the whole connect attempt must be rejected right?
-----Ursprungligt meddelande----- Från: Exim-users <[email protected]> För Heiko Schlittermann via Exim-users Skickat: den 6 september 2019 13:22 Till: oss-security <[email protected]>; Exim Users <[email protected]> Ämne: Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges An Update to the mitigation for the current CVE: Add - as part of the mail ACL (the ACL referenced by the main config option "acl_smtp_mail"): deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}} deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}} This should prevent the currently known attack vector. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
