Package: exim4 Version: 4.92-8+deb10u4 Severity: important Tags: fixed-upstream, security Control: fixed -1 4.94-15
Dear Maintainer, When Exim is configured to verify certificates against hostnames and hostname resolution yields a CNAME, then Exim will verify the certificate against the canonical name rather than the original hostname. An attacker with control over the network (e.g. a rogue public wifi) can forge CNAME records to point to a hostname under their control. They can then obtain a legitimate certificate for the host under their control, which Exim will accept as valid for the host it intended to connect to. The attacker can thus - obtain cleartext of credentials the victim needs to connect to e.g. a smarthost - read and manipulate mail text Note that by default, Exim does opportunistic SSL for most connection, allowing fallback to unencrypted connections. For such connection there is no expectation of any protection anyway, so this flaw is of little importance. However, when exim is configured to deliver mail to a smarthost, such as when setting dc_eximconfig_configtype='smarthost' or 'satellite', it make sense to also configure it to require encryption and successful certificate verification for the connection to the smarthost. Such configurations are also likely to use credentials to authenticate against the smarthost, which the attack described above can reveal. This affects exim4 4.92-8+deb10u4 from Debian 10 (buster). Upstream patched this some time ago already, and the patch already has made it into Debian 11 (bullseye), e.g. exim4 4.94-15. The upstream patch is this one, I believe: ---------------------------------------------------------------------- 0851a3bbf4667081d47f5d85b6b3a5cb33cbdba6 Author: Jeremy Harris <jgh146...@wizmail.org> AuthorDate: Thu Jun 11 20:21:38 2020 +0100 Commit: Jeremy Harris <jgh146...@wizmail.org> CommitDate: Thu Jun 11 20:30:18 2020 +0100 TLS: use RFC 6125 rules for certifucate name checks when CNAMES are present. Bug 2594 ---------------------------------------------------------------------- This was initially reported 2020-09-04 to secur...@debian.org. Regards, Jorrit Fahlke. -- Package-specific info: Exim version 4.92 #5 built 13-May-2020 16:01:31 Copyright (c) University of Cambridge, 1995 - 2018 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DANE DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated Configuration file is /var/lib/exim4/config.autogenerated # /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to generate # exim configuration macros for the configuration file. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='smarthost' dc_other_hostnames='censored' dc_local_interfaces='127.0.0.1 ; ::1 ; 192.168.28.1' dc_readhost='censored' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='192.168.28.2' dc_smarthost='127.0.0.1::26' CFILEMODE='644' dc_use_split_config='true' dc_hide_mailname='false' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' mailname:censored # /etc/default/exim4 EX4DEF_VERSION='' # 'combined' - one daemon running queue and listening on SMTP port # 'no' - no daemon running the queue # 'separate' - two separate daemons # 'ppp' - only run queue with /etc/ppp/ip-up.d/exim4. # 'nodaemon' - no daemon is started at all. # 'queueonly' - only a queue running daemon is started, no SMTP listener. # setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4 QUEUERUNNER='combined' # how often should we run the queue QUEUEINTERVAL='30m' # options common to quez-runner and listening daemon COMMONOPTIONS='' # more options for the daemon/process running the queue (applies to the one # started in /etc/ppp/ip-up.d/exim4, too. QUEUERUNNEROPTIONS='' # special flags given to exim directly after the -q. See exim(8) QFLAGS='' # Options for the SMTP listener daemon. By default, it is listening on # port 25 only. To listen on more ports, it is recommended to use # -oX 25:587:10025 -oP /var/run/exim4/exim.pid SMTPLISTENEROPTIONS='' -- System Information: Debian Release: 10.8 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-debug'), (1, 'testing-debug'), (1, 'experimental-debug'), (1, 'experimental'), (1, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-0.bpo.3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages exim4 depends on: ii debconf [debconf-2.0] 1.5.71 ii exim4-base 4.92-8+deb10u4 ii exim4-daemon-light 4.92-8+deb10u4 exim4 recommends no packages. exim4 suggests no packages. -- debconf information: exim4/drec: --
signature.asc
Description: PGP signature