Bug#1059387: exim4: CVE-2023-51766
On Sun, 31 Dec 2023 13:21:09 +0100 Andreas Metzler wrote: > Disable CHUNKING advertisement for incoming connections. > Disable PIPELINING advertisement for incoming connections. It's worth noting in this bug report that these can be achieved by the following lines in an Exim config: chunking_advertise_hosts = pipelining_advertise_hosts = Cheers, Dave
Bug#1059387: exim4: CVE-2023-51766
On 2024-01-01 Salvatore Bonaccorso wrote: > On Mon, Jan 01, 2024 at 04:45:24PM +0100, Andreas Metzler wrote: [...] > > I have prepared updates for either DSA or stable update. (I will be on my > > dayjob again tomorrow, so I will not be that responsive on workdays.) > Happy new year to you. Thanks for the input in the previous message. > Let be on the safe side, and release it through a DSA. Please upload > to security-master. Hello Salvatore, thanks, happy new year! I have uploaded with attached diffs (identical to previously sent, just upload target changed to "bookworm/bullseye-security; urgency=high" from UNRELEASED. cu Andreas diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-11-18 11:07:57.0 +0100 +++ exim4-4.96/debian/changelog 2024-01-01 17:58:00.0 +0100 @@ -1,3 +1,12 @@ +exim4 (4.96-15+deb12u4) bookworm-security; urgency=high + + * 77_CVE-2023-51766_4.97.1-release.diff from 4,97.1 release: Refuse to +accept a line "dot, LF" as end-of-DATA unless operating in LF-only mode +(as detected from the first header line) to fix smtp-smuggling +(CVE-2023-51766). Closes: #1059387 + + -- Andreas Metzler Mon, 01 Jan 2024 17:58:00 +0100 + exim4 (4.96-15+deb12u3) bookworm; urgency=medium * Multiple bugfixes from upstream GIT master: diff -Nru exim4-4.96/debian/patches/77_CVE-2023-51766_4.97.1-release.diff exim4-4.96/debian/patches/77_CVE-2023-51766_4.97.1-release.diff --- exim4-4.96/debian/patches/77_CVE-2023-51766_4.97.1-release.diff 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/77_CVE-2023-51766_4.97.1-release.diff 2024-01-01 16:32:59.0 +0100 @@ -0,0 +1,440 @@ +Description: Fix smtp-smuggling (CVE-2023-51766) + Pull upstream changes from 4.97.1 security release. +Author: Jeremy Harris +Bug-Debian: https://bugs.debian.org/1059387 +Origin: upstream +Last-Update: 2023-12-31 + +--- a/doc/ChangeLog b/doc/ChangeLog +@@ -91,10 +91,16 @@ JH/39 Bug 3023: Fix crash induced by som + and ${tr...}. Found and diagnosed by Heiko Schlichting. + + JH/06 Bug 3054: Fix dnsdb lookup for a TXT record with multiple chunks. This + was broken by hardening introduced for Bug 3033. + ++JH/s1 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in ++ LF-only mode (as detected from the first header line). Previously we did ++ accept that in (normal) CRLF mode; this has been raised as a possible ++ attack scenario (under the name "smtp smuggling", CVE-2023-51766). ++ ++ + Exim version 4.96 + - + + JH/01 Move the wait-for-next-tick (needed for unique message IDs) from + after reception to before a subsequent reception. This should +--- /dev/null b/doc/doc-txt/cve-2023-51766 +@@ -0,0 +1,69 @@ ++CVE ID: CVE-2023-51766 ++Date: 2016-12-15 ++Credits:https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ ++Version(s): all up to 4.97 inclusive ++Issue: Given a buggy relay, Exim can be induced to accept a second message embedded ++as part of the body of a first message ++ ++Conditions ++== ++ ++If *all* the following conditions are met ++ ++Runtime options ++--- ++ ++* Exim offers PIPELINING on incoming connections ++ ++* Exim offers CHUNKING on incoming connections ++ ++Operation ++- ++ ++* DATA (as opposed to BDAT) is used for a message reception ++ ++* The relay host sends to the Exim MTA message data including ++ one of "LF . LF" or "CR LF . LF" or "LF . CR LF". ++ ++* Exim interprets the sequence as signalling the end of data for ++ the SMTP DATA command, and hence a first message. ++ ++* Exim interprets further input which the relay had as message body ++ data, as SMTP commands and data. This could include a MAIL, RCPT, ++ BDAT (etc) sequence, resulting in a further message acceptance. ++ ++Impact ++== ++ ++One or more messages can be accepted by Exim that have not been ++properly validated by the buggy relay. ++ ++Fix ++=== ++ ++Install a fixed Exim version: ++ ++4.98 (once available) ++4.97.1 ++ ++If you can't install one of the above versions, ask your package ++maintainer for a version containing the backported fix. On request and ++depending on our resources we will support you in backporting the fix. ++(Please note, that Exim project officially doesn't support versions ++prior the current stable version.) ++ ++ ++Workaround ++== ++ ++ Disable CHUNKING advertisement for incoming connections. ++ ++ An attempt to "smuggle" a DATA command will trip a syncronisation ++ check. ++ ++*or* ++ ++ Disable PIPELINING advertisement for incoming connections. ++ ++ The "smuggled" MAIL FROM command will then trip a syncronisation ++ check. +--- a/src/receive.c b/src/receive.c +@@ -826,104 +826,118 @@ we make the CRs optional in all cases. + + July 2003: Bare CRs cause trouble.
Bug#1059387: exim4: CVE-2023-51766
HI Andreas, On Mon, Jan 01, 2024 at 04:45:24PM +0100, Andreas Metzler wrote: > On 2023-12-30 Salvatore Bonaccorso wrote: > [...] > > If so, will you work as well on the bullseye-security update? > > Hello, > > I have prepared updates for either DSA or stable update. (I will be on my > dayjob again tomorrow, so I will not be that responsive on workdays.) Happy new year to you. Thanks for the input in the previous message. Let be on the safe side, and release it through a DSA. Please upload to security-master. Regards, Salvatore
Bug#1059387: exim4: CVE-2023-51766
On 2023-12-30 Salvatore Bonaccorso wrote: [...] > If so, will you work as well on the bullseye-security update? Hello, I have prepared updates for either DSA or stable update. (I will be on my dayjob again tomorrow, so I will not be that responsive on workdays.) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' >From ae3c47947917673912c89bf59226f9d205466534 Mon Sep 17 00:00:00 2001 From: Andreas Metzler Date: Sun, 31 Dec 2023 16:44:13 +0100 Subject: [PATCH] CVE-2023-51766 fix Combines these patches from upstream exim-4.97+security branch: 3f80a86ceb7fe39c8f8039d3a6ce51beb7719e39 Reject "dot, LF" as ending data phase. Bug 3063 b409bf3547d465bf7f4cf8c2111eb9ec98cf5f40 Use enum for body data input state-machine fbb270d484711cc2a4c1493979c8622810dfb9a1 Reject "dot, LF" as ending data phase (pt. 2). Bug 3063 ce223f7f741f91ed01a321c4c8ddb5f2bd7a1bcf Testsuite: testcase for "smtp smuggling". Bug 3063 Also remove the unneeded sync point added in cf1376206284 [cf1376206284 is on master branch, the equivalent here is 3f80a86ceb7fe39c8f8039d3a6ce51beb7719e39. Testsuite parts of the patch not included for Debian upload] 5a8fc079931410b30889e69f890857b05ca8d4b2 Docs: Security release. Bug 3063 --- debian/changelog | 9 + .../77_CVE-2023-51766_4.97.1-release.diff | 440 ++ debian/patches/series | 1 + 3 files changed, 450 insertions(+) create mode 100644 debian/patches/77_CVE-2023-51766_4.97.1-release.diff diff --git a/debian/changelog b/debian/changelog index ec2103a2..c6f00b50 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,16 @@ +exim4 (4.96-15+deb12u4) UNRELEASED; urgency=medium + + * 77_CVE-2023-51766_4.97.1-release.diff from 4,97.1 release: Refuse to +accept a line "dot, LF" as end-of-DATA unless operating in LF-only mode +(as detected from the first header line) to fix smtp-smuggling +(CVE-2023-51766). Closes: #1059387 + + -- Andreas Metzler Sun, 31 Dec 2023 14:21:50 +0100 + exim4 (4.96-15+deb12u3) bookworm; urgency=medium * Multiple bugfixes from upstream GIT master: + 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch + 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch (Upstream bug 2998) + 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch diff --git a/debian/patches/77_CVE-2023-51766_4.97.1-release.diff b/debian/patches/77_CVE-2023-51766_4.97.1-release.diff new file mode 100644 index ..77d52ce3 --- /dev/null +++ b/debian/patches/77_CVE-2023-51766_4.97.1-release.diff @@ -0,0 +1,440 @@ +Description: Fix smtp-smuggling (CVE-2023-51766) + Pull upstream changes from 4.97.1 security release. +Author: Jeremy Harris +Bug-Debian: https://bugs.debian.org/1059387 +Origin: upstream +Last-Update: 2023-12-31 + +--- a/doc/ChangeLog b/doc/ChangeLog +@@ -91,10 +91,16 @@ JH/39 Bug 3023: Fix crash induced by som + and ${tr...}. Found and diagnosed by Heiko Schlichting. + + JH/06 Bug 3054: Fix dnsdb lookup for a TXT record with multiple chunks. This + was broken by hardening introduced for Bug 3033. + ++JH/s1 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in ++ LF-only mode (as detected from the first header line). Previously we did ++ accept that in (normal) CRLF mode; this has been raised as a possible ++ attack scenario (under the name "smtp smuggling", CVE-2023-51766). ++ ++ + Exim version 4.96 + - + + JH/01 Move the wait-for-next-tick (needed for unique message IDs) from + after reception to before a subsequent reception. This should +--- /dev/null b/doc/doc-txt/cve-2023-51766 +@@ -0,0 +1,69 @@ ++CVE ID: CVE-2023-51766 ++Date: 2016-12-15 ++Credits:https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ ++Version(s): all up to 4.97 inclusive ++Issue: Given a buggy relay, Exim can be induced to accept a second message embedded ++as part of the body of a first message ++ ++Conditions ++== ++ ++If *all* the following conditions are met ++ ++Runtime options ++--- ++ ++* Exim offers PIPELINING on incoming connections ++ ++* Exim offers CHUNKING on incoming connections ++ ++Operation ++- ++ ++* DATA (as opposed to BDAT) is used for a message reception ++ ++* The relay host sends to the Exim MTA message data including ++ one of "LF . LF" or "CR LF . LF" or "LF . CR LF". ++ ++* Exim interprets the sequence as signalling the end of data for ++ the SMTP DATA command, and hence a first message. ++ ++* Exim interprets further input which the relay had as message body ++ data, as SMTP commands and data. This could include a MAIL, RCPT, ++ BDAT (etc) sequence, resulting in a further message acceptance. ++ ++Impact
Bug#1059387: exim4: CVE-2023-51766
On 2023-12-30 Salvatore Bonaccorso wrote: > On Sat, Dec 30, 2023 at 03:40:42PM +0100, Andreas Metzler wrote: > > are you going to release a DSA (I can start preparing one) or should I > > aim for another stable update? > We certainly can do. We have not fully evaluated yet, but it can be > sensible that we do release via a DSA. For postfix there were enough > mitigation options to do, so that it was good enough to schedule the > update via a point release (and fasttrack still trough a SUA, given > the update was a bugfix release rebase). > How is the situation for exim4? Are there similar workarounds which > can be put in place e.g. like the postfix forbid_unauth_pipelining > option? [...] Hello, https://git.exim.org/exim.git/blob/5a8fc079931410b30889e69f890857b05ca8d4b2:/doc/doc-txt/cve-2023-51766 says: 8X Workaround == Disable CHUNKING advertisement for incoming connections. [...] *or* Disable PIPELINING advertisement for incoming connections. 8X cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#1059387: exim4: CVE-2023-51766
Hi Andreas, On Sat, Dec 30, 2023 at 03:40:42PM +0100, Andreas Metzler wrote: > On 2023-12-24 Salvatore Bonaccorso wrote: > > Source: exim4 > > Version: 4.97-2 > > Severity: important > > Tags: security upstream > > Forwarded: https://bugs.exim.org/show_bug.cgi?id=3063 > [...] > > The following vulnerability was published for exim4. > > > CVE-2023-51766[0]: > > | Exim through 4.97 allows SMTP smuggling in certain configurations. > > | Remote attackers can use a published exploitation technique to > > | inject e-mail messages that appear to originate from the Exim > > | server, allowing bypass of an SPF protection mechanism. This occurs > > | because Exim supports . but some other popular e-mail > > | servers do not. > > Hello Salvatore, > > are you going to release a DSA (I can start preparing one) or should I > aim for another stable update? We certainly can do. We have not fully evaluated yet, but it can be sensible that we do release via a DSA. For postfix there were enough mitigation options to do, so that it was good enough to schedule the update via a point release (and fasttrack still trough a SUA, given the update was a bugfix release rebase). How is the situation for exim4? Are there similar workarounds which can be put in place e.g. like the postfix forbid_unauth_pipelining option? If there is no such way for exim4 then this lowers the bar for releasing exim4 trough a DSA. If so, will you work as well on the bullseye-security update? Thanks as usual for your diligent work! Regards, Salvatore
Bug#1059387: exim4: CVE-2023-51766
On 2023-12-24 Salvatore Bonaccorso wrote: > Source: exim4 > Version: 4.97-2 > Severity: important > Tags: security upstream > Forwarded: https://bugs.exim.org/show_bug.cgi?id=3063 [...] > The following vulnerability was published for exim4. > CVE-2023-51766[0]: > | Exim through 4.97 allows SMTP smuggling in certain configurations. > | Remote attackers can use a published exploitation technique to > | inject e-mail messages that appear to originate from the Exim > | server, allowing bypass of an SPF protection mechanism. This occurs > | because Exim supports . but some other popular e-mail > | servers do not. Hello Salvatore, are you going to release a DSA (I can start preparing one) or should I aim for another stable update? TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' signature.asc Description: PGP signature
Bug#1059387: exim4: CVE-2023-51766
Source: exim4 Version: 4.97-2 Severity: important Tags: security upstream Forwarded: https://bugs.exim.org/show_bug.cgi?id=3063 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for exim4. CVE-2023-51766[0]: | Exim through 4.97 allows SMTP smuggling in certain configurations. | Remote attackers can use a published exploitation technique to | inject e-mail messages that appear to originate from the Exim | server, allowing bypass of an SPF protection mechanism. This occurs | because Exim supports . but some other popular e-mail | servers do not. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51766 https://www.cve.org/CVERecord?id=CVE-2023-51766 [1] https://bugs.exim.org/show_bug.cgi?id=3063 Please adjust the affected versions in the BTS as needed. Regards, Salvatore