Unless I am missing something, in the absence of softlimits the risk with qmail-local is still mitigated by the use of a reasonable databytes value.
-Chris On Tue, May 26, 2020 at 9:20 AM Quinn Comendant <qu...@strangecode.com> wrote: > Hi Chris, > > Thanks for the analysis. My understanding is the same. > > I think the main concern is regarding memory limits placed on qmail-local. > I don't know how to apply softlimits there. > > Quinn > > > On 26 May 2020 08:17:08, Chris wrote: > > I built my QMT a couple of years ago on CentOS 7, and spot checking I > > see that softlimits are already applied in the following supervise > > startup scripts: > > > > /var/qmail/supervise/smtp/run > > /var/qmail/supervise/submission/run > > /var/qmail/supervise/smtps/run > > > > Additionally, I have a reasonable value in > > /var/qmail/control/databytes (I'm 99% certain that QMT sets a value > > here by default.) > > > > So, as far as I can tell, the RCE issues are already mitigated in > > relatively recent QMT installs. > > > > If I am reading the CVE correctly, all of the RCE vulnerabilities can > > be mitigated by having a reasonable value in > > /var/qmail/control/databytes > > > > Have you checked your deployed systems? > > > > I need to dig into how qmail-local is being called, so I can figure > > out whether it has softlimits yet, but I need to get my kids to > > school. :) > > > > -Chris > > > > On Tue, May 26, 2020 at 6:07 AM Quinn Comendant > > <qu...@strangecode.com> wrote: > >> Hello all, > >> > >> I just came across this security bulletin that affects qmail: > >> > https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt > >> > >> “TLDR: In 2005, three vulnerabilities were discovered in qmail but were > >> never fixed because they were believed to be unexploitable in a default > >> installation. We recently re-discovered these vulnerabilities and were > >> able to exploit one of them remotely in a default installation.” > >> > >> If I understand correctly, it can be mitigated by: > >> > >> - using softlimit to restrict process memory limit, even on qmail-local > >> - configure databytes to limit email message size. > >> > >> or by applying the patches included in the article linked above. > >> > >> Is this patch something that should be included in QMT? > >> > >> How to add soft limit to qmail-local? > >> > >> Quinn