Re: Interim mitigation for CVE-2020-7247
January 29, 2020 12:19 PM, "Andreas Broecking" wrote:
> Hi all,
>
> first of all, thanks Gilles for the heads-up and a fix on short notice.
>
> For people like me who relay on the portable version and for systems which
> relay on built packages
> as they lack the local development tools, a filter should help to mitigate
> the problem until a
> package could be built on another system.
>
> Shouldn’t something like
>
> filter exploit_check phase mail-from match mail-from regex { '<*\;*' } \
> disconnect "550 no exploiting, kthx”
>
> listen on $interface filter exploit_check
>
> sufficiently mitigate the problem?
> I am not fluent in regex’ing so maybe I am missing an edge case. It does
> prevent the example
> exploit and any others I’ve seen in the last hours.
>
filter exploit_check phase mail-from match mail-from regex ".*;.*" \
disconnect "550 no exploiting, kthx”
listen on $interface filter exploit_check
This should work yes but I don't have an unpatched system to test it.
You also need it on "listen on socket"
The best mitigation would be to use maildir instead of mbox as it's not
impacted.
Re: Interim mitigation for CVE-2020-7247
Or rather
filter exploit_check phase mail-from match mail-from regex { '.*\;.*\;.*’ }
disconnect "550 no exploiting, kthx”
to be more specific on the semicolons as delimiter of the command?
(sorry, as I said. regex is my nemesis :))
Best regards
Andreas
> On 29. Jan 2020, at 12:19, Andreas Broecking wrote:
>
> Hi all,
>
> first of all, thanks Gilles for the heads-up and a fix on short notice.
>
> For people like me who relay on the portable version and for systems which
> relay on built packages as they lack the local development tools, a filter
> should help to mitigate the problem until a package could be built on another
> system.
>
> Shouldn’t something like
>
> filter exploit_check phase mail-from match mail-from regex { '<*\;*' } \
>disconnect "550 no exploiting, kthx”
>
> listen on $interface filter exploit_check
>
> sufficiently mitigate the problem?
> I am not fluent in regex’ing so maybe I am missing an edge case. It does
> prevent the example exploit and any others I’ve seen in the last hours.
>
> Best regards
> Andreas
Interim mitigation for CVE-2020-7247
Hi all,
first of all, thanks Gilles for the heads-up and a fix on short notice.
For people like me who relay on the portable version and for systems which
relay on built packages as they lack the local development tools, a filter
should help to mitigate the problem until a package could be built on another
system.
Shouldn’t something like
filter exploit_check phase mail-from match mail-from regex { '<*\;*' } \
disconnect "550 no exploiting, kthx”
listen on $interface filter exploit_check
sufficiently mitigate the problem?
I am not fluent in regex’ing so maybe I am missing an edge case. It does
prevent the example exploit and any others I’ve seen in the last hours.
Best regards
Andreas
