Hi Chris,

Thanks for the analysis. My understanding is the same.

I think the main concern is regarding memory limits placed on qmail-local. I 
don't know how to apply softlimits there.

Quinn


On 26 May 2020 08:17:08, Chris wrote:
> I built my QMT a couple of years ago on CentOS 7, and spot checking I 
> see that softlimits are already applied in the following supervise 
> startup scripts:
> 
> /var/qmail/supervise/smtp/run
> /var/qmail/supervise/submission/run
> /var/qmail/supervise/smtps/run
> 
> Additionally, I have a reasonable value in 
> /var/qmail/control/databytes (I'm 99% certain that QMT sets a value 
> here by default.)
> 
> So, as far as I can tell, the RCE issues are already mitigated in 
> relatively recent QMT installs.  
> 
> If I am reading the CVE correctly, all of the RCE vulnerabilities can 
> be mitigated by having a reasonable value in 
> /var/qmail/control/databytes
> 
> Have you checked your deployed systems?
> 
> I need to dig into how qmail-local is being called, so I can figure 
> out whether it has softlimits yet, but I need to get my kids to 
> school.  :)
> 
> -Chris
> 
> On Tue, May 26, 2020 at 6:07 AM Quinn Comendant 
> <qu...@strangecode.com> wrote:
>> Hello all,
>> 
>> I just came across this security bulletin that affects qmail:
>> https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
>> 
>> “TLDR: In 2005, three vulnerabilities were discovered in qmail but were
>> never fixed because they were believed to be unexploitable in a default
>> installation. We recently re-discovered these vulnerabilities and were
>> able to exploit one of them remotely in a default installation.”
>> 
>> If I understand correctly, it can be mitigated by:
>> 
>> - using softlimit to restrict process memory limit, even on qmail-local
>> - configure databytes to limit email message size.
>> 
>> or by applying the patches included in the article linked above. 
>> 
>> Is this patch something that should be included in QMT?
>> 
>> How to add soft limit to qmail-local?
>> 
>> Quinn

Reply via email to