help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

EXIM CVE-2017-16943, CVE-2017-16944

Dominic -

PROBLEM
Is atmail effected by Exim CVE-2017-16943, CVE-2017-16944?

ENVIRONMENT

  • atmail 7.x On-Premises Server Installations

CAUSE
CVE-2017-16943, CVE-2017-16944

RESOLUTION

Exim has recently announced the above CVE's regarding denial of service exploits. Only exim versions 4.88 or newer are impacted. You can find your exim version using the following:

# /usr/local/atmail/mailserver/bin/exim --version
Exim version 4.87 #2 built 25-Oct-2017 14:49:57
Copyright (c) University of Cambridge, 1995 - 2016
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2016
Berkeley DB: Berkeley DB 5.3.21: (May 11, 2012)
Support for: crypteq iconv() OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz dnsdb ldap ldapdn ldapm mysql
Authenticators: dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /usr/local/atmail/mailserver/configure

Please Note:
Default version of exim used with the latest release of atmail 7 is 4.87 and not affected by this issue.

If you are currently using exim 4.88+, please add chunking_advertise_hosts = to your exim configuration.

# sed -i '8i chunking_advertise_hosts =' /usr/local/atmail/mailserver/configure

 Then restart atmail.

# /etc/init.d/atmailserver restart

For further information, please find the below as advised by the Exim developers.

A remote code execution vulnerability has been reported in Exim, with
immediate public disclosure (we were given no private notice).
A tentative patch exists but has not yet been confirmed.

With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:

chunking_advertise_hosts =

That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.

This should be a complete workaround. Impact of applying the workaround
is that mail senders have to stick to the traditional DATA verb instead
of using BDAT.

We've requested CVEs. More news will be forthcoming as we get this
worked out.

-Phil

 ## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ## 

Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com