Bug#1059387: exim4: CVE-2023-51766
On Sun, 31 Dec 2023 13:21:09 +0100 Andreas Metzler wrote: > Disable CHUNKING advertisement for incoming connections. > Disable PIPELINING advertisement for incoming connections. It's worth noting in this bug report that these can be achieved by the following lines in an Exim config: chunking_advertise_hosts = pipelining_advertise_hosts = Cheers, Dave
Bug#1059387: exim4: CVE-2023-51766
On 2024-01-01 Salvatore Bonaccorso wrote:
> On Mon, Jan 01, 2024 at 04:45:24PM +0100, Andreas Metzler wrote:
[...]
> > I have prepared updates for either DSA or stable update. (I will be on my
> > dayjob again tomorrow, so I will not be that responsive on workdays.)
> Happy new year to you. Thanks for the input in the previous message.
> Let be on the safe side, and release it through a DSA. Please upload
> to security-master.
Hello Salvatore,
thanks, happy new year!
I have uploaded with attached diffs (identical to previously sent, just
upload target changed to "bookworm/bullseye-security; urgency=high" from
UNRELEASED.
cu Andreas
diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog
--- exim4-4.96/debian/changelog 2023-11-18 11:07:57.0 +0100
+++ exim4-4.96/debian/changelog 2024-01-01 17:58:00.0 +0100
@@ -1,3 +1,12 @@
+exim4 (4.96-15+deb12u4) bookworm-security; urgency=high
+
+ * 77_CVE-2023-51766_4.97.1-release.diff from 4,97.1 release: Refuse to
+accept a line "dot, LF" as end-of-DATA unless operating in LF-only mode
+(as detected from the first header line) to fix smtp-smuggling
+(CVE-2023-51766). Closes: #1059387
+
+ -- Andreas Metzler Mon, 01 Jan 2024 17:58:00 +0100
+
exim4 (4.96-15+deb12u3) bookworm; urgency=medium
* Multiple bugfixes from upstream GIT master:
diff -Nru exim4-4.96/debian/patches/77_CVE-2023-51766_4.97.1-release.diff exim4-4.96/debian/patches/77_CVE-2023-51766_4.97.1-release.diff
--- exim4-4.96/debian/patches/77_CVE-2023-51766_4.97.1-release.diff 1970-01-01 01:00:00.0 +0100
+++ exim4-4.96/debian/patches/77_CVE-2023-51766_4.97.1-release.diff 2024-01-01 16:32:59.0 +0100
@@ -0,0 +1,440 @@
+Description: Fix smtp-smuggling (CVE-2023-51766)
+ Pull upstream changes from 4.97.1 security release.
+Author: Jeremy Harris
+Bug-Debian: https://bugs.debian.org/1059387
+Origin: upstream
+Last-Update: 2023-12-31
+
+--- a/doc/ChangeLog
b/doc/ChangeLog
+@@ -91,10 +91,16 @@ JH/39 Bug 3023: Fix crash induced by som
+ and ${tr...}. Found and diagnosed by Heiko Schlichting.
+
+ JH/06 Bug 3054: Fix dnsdb lookup for a TXT record with multiple chunks. This
+ was broken by hardening introduced for Bug 3033.
+
++JH/s1 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
++ LF-only mode (as detected from the first header line). Previously we did
++ accept that in (normal) CRLF mode; this has been raised as a possible
++ attack scenario (under the name "smtp smuggling", CVE-2023-51766).
++
++
+ Exim version 4.96
+ -
+
+ JH/01 Move the wait-for-next-tick (needed for unique message IDs) from
+ after reception to before a subsequent reception. This should
+--- /dev/null
b/doc/doc-txt/cve-2023-51766
+@@ -0,0 +1,69 @@
++CVE ID: CVE-2023-51766
++Date: 2016-12-15
++Credits:https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
++Version(s): all up to 4.97 inclusive
++Issue: Given a buggy relay, Exim can be induced to accept a second message embedded
++as part of the body of a first message
++
++Conditions
++==
++
++If *all* the following conditions are met
++
++Runtime options
++---
++
++* Exim offers PIPELINING on incoming connections
++
++* Exim offers CHUNKING on incoming connections
++
++Operation
++-
++
++* DATA (as opposed to BDAT) is used for a message reception
++
++* The relay host sends to the Exim MTA message data including
++ one of "LF . LF" or "CR LF . LF" or "LF . CR LF".
++
++* Exim interprets the sequence as signalling the end of data for
++ the SMTP DATA command, and hence a first message.
++
++* Exim interprets further input which the relay had as message body
++ data, as SMTP commands and data. This could include a MAIL, RCPT,
++ BDAT (etc) sequence, resulting in a further message acceptance.
++
++Impact
++==
++
++One or more messages can be accepted by Exim that have not been
++properly validated by the buggy relay.
++
++Fix
++===
++
++Install a fixed Exim version:
++
++4.98 (once available)
++4.97.1
++
++If you can't install one of the above versions, ask your package
++maintainer for a version containing the backported fix. On request and
++depending on our resources we will support you in backporting the fix.
++(Please note, that Exim project officially doesn't support versions
++prior the current stable version.)
++
++
++Workaround
++==
++
++ Disable CHUNKING advertisement for incoming connections.
++
++ An attempt to "smuggle" a DATA command will trip a syncronisation
++ check.
++
++*or*
++
++ Disable PIPELINING advertisement for incoming connections.
++
++ The "smuggled" MAIL FROM command will then trip a syncronisation
++ check.
+--- a/src/receive.c
b/src/receive.c
+@@ -826,104 +826,118 @@ we make the CRs optional in all cases.
+
+ July 2003: Bare CRs cause trouble.
Bug#1059387: exim4: CVE-2023-51766
HI Andreas, On Mon, Jan 01, 2024 at 04:45:24PM +0100, Andreas Metzler wrote: > On 2023-12-30 Salvatore Bonaccorso wrote: > [...] > > If so, will you work as well on the bullseye-security update? > > Hello, > > I have prepared updates for either DSA or stable update. (I will be on my > dayjob again tomorrow, so I will not be that responsive on workdays.) Happy new year to you. Thanks for the input in the previous message. Let be on the safe side, and release it through a DSA. Please upload to security-master. Regards, Salvatore
Bug#1059387: exim4: CVE-2023-51766
On 2023-12-30 Salvatore Bonaccorso wrote:
[...]
> If so, will you work as well on the bullseye-security update?
Hello,
I have prepared updates for either DSA or stable update. (I will be on my
dayjob again tomorrow, so I will not be that responsive on workdays.)
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
>From ae3c47947917673912c89bf59226f9d205466534 Mon Sep 17 00:00:00 2001
From: Andreas Metzler
Date: Sun, 31 Dec 2023 16:44:13 +0100
Subject: [PATCH] CVE-2023-51766 fix
Combines these patches from upstream exim-4.97+security branch:
3f80a86ceb7fe39c8f8039d3a6ce51beb7719e39
Reject "dot, LF" as ending data phase. Bug 3063
b409bf3547d465bf7f4cf8c2111eb9ec98cf5f40
Use enum for body data input state-machine
fbb270d484711cc2a4c1493979c8622810dfb9a1
Reject "dot, LF" as ending data phase (pt. 2). Bug 3063
ce223f7f741f91ed01a321c4c8ddb5f2bd7a1bcf
Testsuite: testcase for "smtp smuggling". Bug 3063
Also remove the unneeded sync point added in cf1376206284
[cf1376206284 is on master branch, the equivalent here is
3f80a86ceb7fe39c8f8039d3a6ce51beb7719e39. Testsuite parts of the patch
not included for Debian upload]
5a8fc079931410b30889e69f890857b05ca8d4b2
Docs: Security release. Bug 3063
---
debian/changelog | 9 +
.../77_CVE-2023-51766_4.97.1-release.diff | 440 ++
debian/patches/series | 1 +
3 files changed, 450 insertions(+)
create mode 100644 debian/patches/77_CVE-2023-51766_4.97.1-release.diff
diff --git a/debian/changelog b/debian/changelog
index ec2103a2..c6f00b50 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,16 @@
+exim4 (4.96-15+deb12u4) UNRELEASED; urgency=medium
+
+ * 77_CVE-2023-51766_4.97.1-release.diff from 4,97.1 release: Refuse to
+accept a line "dot, LF" as end-of-DATA unless operating in LF-only mode
+(as detected from the first header line) to fix smtp-smuggling
+(CVE-2023-51766). Closes: #1059387
+
+ -- Andreas Metzler Sun, 31 Dec 2023 14:21:50 +0100
+
exim4 (4.96-15+deb12u3) bookworm; urgency=medium
* Multiple bugfixes from upstream GIT master:
+ 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch
+ 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch
(Upstream bug 2998)
+ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch
diff --git a/debian/patches/77_CVE-2023-51766_4.97.1-release.diff b/debian/patches/77_CVE-2023-51766_4.97.1-release.diff
new file mode 100644
index ..77d52ce3
--- /dev/null
+++ b/debian/patches/77_CVE-2023-51766_4.97.1-release.diff
@@ -0,0 +1,440 @@
+Description: Fix smtp-smuggling (CVE-2023-51766)
+ Pull upstream changes from 4.97.1 security release.
+Author: Jeremy Harris
+Bug-Debian: https://bugs.debian.org/1059387
+Origin: upstream
+Last-Update: 2023-12-31
+
+--- a/doc/ChangeLog
b/doc/ChangeLog
+@@ -91,10 +91,16 @@ JH/39 Bug 3023: Fix crash induced by som
+ and ${tr...}. Found and diagnosed by Heiko Schlichting.
+
+ JH/06 Bug 3054: Fix dnsdb lookup for a TXT record with multiple chunks. This
+ was broken by hardening introduced for Bug 3033.
+
++JH/s1 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
++ LF-only mode (as detected from the first header line). Previously we did
++ accept that in (normal) CRLF mode; this has been raised as a possible
++ attack scenario (under the name "smtp smuggling", CVE-2023-51766).
++
++
+ Exim version 4.96
+ -
+
+ JH/01 Move the wait-for-next-tick (needed for unique message IDs) from
+ after reception to before a subsequent reception. This should
+--- /dev/null
b/doc/doc-txt/cve-2023-51766
+@@ -0,0 +1,69 @@
++CVE ID: CVE-2023-51766
++Date: 2016-12-15
++Credits:https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
++Version(s): all up to 4.97 inclusive
++Issue: Given a buggy relay, Exim can be induced to accept a second message embedded
++as part of the body of a first message
++
++Conditions
++==
++
++If *all* the following conditions are met
++
++Runtime options
++---
++
++* Exim offers PIPELINING on incoming connections
++
++* Exim offers CHUNKING on incoming connections
++
++Operation
++-
++
++* DATA (as opposed to BDAT) is used for a message reception
++
++* The relay host sends to the Exim MTA message data including
++ one of "LF . LF" or "CR LF . LF" or "LF . CR LF".
++
++* Exim interprets the sequence as signalling the end of data for
++ the SMTP DATA command, and hence a first message.
++
++* Exim interprets further input which the relay had as message body
++ data, as SMTP commands and data. This could include a MAIL, RCPT,
++ BDAT (etc) sequence, resulting in a further message acceptance.
++
++Impact
Bug#1059387: exim4: CVE-2023-51766
On 2023-12-30 Salvatore Bonaccorso wrote: > On Sat, Dec 30, 2023 at 03:40:42PM +0100, Andreas Metzler wrote: > > are you going to release a DSA (I can start preparing one) or should I > > aim for another stable update? > We certainly can do. We have not fully evaluated yet, but it can be > sensible that we do release via a DSA. For postfix there were enough > mitigation options to do, so that it was good enough to schedule the > update via a point release (and fasttrack still trough a SUA, given > the update was a bugfix release rebase). > How is the situation for exim4? Are there similar workarounds which > can be put in place e.g. like the postfix forbid_unauth_pipelining > option? [...] Hello, https://git.exim.org/exim.git/blob/5a8fc079931410b30889e69f890857b05ca8d4b2:/doc/doc-txt/cve-2023-51766 says: 8X Workaround == Disable CHUNKING advertisement for incoming connections. [...] *or* Disable PIPELINING advertisement for incoming connections. 8X cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#1059387: exim4: CVE-2023-51766
Hi Andreas, On Sat, Dec 30, 2023 at 03:40:42PM +0100, Andreas Metzler wrote: > On 2023-12-24 Salvatore Bonaccorso wrote: > > Source: exim4 > > Version: 4.97-2 > > Severity: important > > Tags: security upstream > > Forwarded: https://bugs.exim.org/show_bug.cgi?id=3063 > [...] > > The following vulnerability was published for exim4. > > > CVE-2023-51766[0]: > > | Exim through 4.97 allows SMTP smuggling in certain configurations. > > | Remote attackers can use a published exploitation technique to > > | inject e-mail messages that appear to originate from the Exim > > | server, allowing bypass of an SPF protection mechanism. This occurs > > | because Exim supports . but some other popular e-mail > > | servers do not. > > Hello Salvatore, > > are you going to release a DSA (I can start preparing one) or should I > aim for another stable update? We certainly can do. We have not fully evaluated yet, but it can be sensible that we do release via a DSA. For postfix there were enough mitigation options to do, so that it was good enough to schedule the update via a point release (and fasttrack still trough a SUA, given the update was a bugfix release rebase). How is the situation for exim4? Are there similar workarounds which can be put in place e.g. like the postfix forbid_unauth_pipelining option? If there is no such way for exim4 then this lowers the bar for releasing exim4 trough a DSA. If so, will you work as well on the bullseye-security update? Thanks as usual for your diligent work! Regards, Salvatore
Bug#1059387: exim4: CVE-2023-51766
On 2023-12-24 Salvatore Bonaccorso wrote: > Source: exim4 > Version: 4.97-2 > Severity: important > Tags: security upstream > Forwarded: https://bugs.exim.org/show_bug.cgi?id=3063 [...] > The following vulnerability was published for exim4. > CVE-2023-51766[0]: > | Exim through 4.97 allows SMTP smuggling in certain configurations. > | Remote attackers can use a published exploitation technique to > | inject e-mail messages that appear to originate from the Exim > | server, allowing bypass of an SPF protection mechanism. This occurs > | because Exim supports . but some other popular e-mail > | servers do not. Hello Salvatore, are you going to release a DSA (I can start preparing one) or should I aim for another stable update? TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#1059387: exim4: CVE-2023-51766
Source: exim4 Version: 4.97-2 Severity: important Tags: security upstream Forwarded: https://bugs.exim.org/show_bug.cgi?id=3063 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for exim4. CVE-2023-51766[0]: | Exim through 4.97 allows SMTP smuggling in certain configurations. | Remote attackers can use a published exploitation technique to | inject e-mail messages that appear to originate from the Exim | server, allowing bypass of an SPF protection mechanism. This occurs | because Exim supports . but some other popular e-mail | servers do not. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51766 https://www.cve.org/CVERecord?id=CVE-2023-51766 [1] https://bugs.exim.org/show_bug.cgi?id=3063 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
