help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

EXIM CVE-2017-16943, CVE-2017-16944

Dominic -

PROBLEM
Is atmail effected by Exim CVE-2017-16943, CVE-2017-16944?

ENVIRONMENT

  • atmail mail server

CAUSE
CVE-2017-16943, CVE-2017-16944

RESOLUTION

Exim has recently announced the above CVE's regarding denial of service exploits. Only Exim versions 4.88 or newer are impacted. You can find your Exim version using the following:

# exim --version
Exim version 4.89 #1 built 18-Aug-2017 15:21:27
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.21: (May 11, 2012)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 nisplus passwd sqlite
Authenticators: cram_md5 cyrus_sasl dovecot gsasl plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /etc/exim/exim.conf

If you are currently using Exim 4.88+, please add chunking_advertise_hosts = to your exim configuration.

This change will need to be deployed using ansible. If you are unfamiliar with how atmail uses ansible, please find our Introduction to ansible with atmail documentation.

  1. Open /var/lib/atmail/mailserver/roles/exim/templates/ss1ip/exim.conf.j2
  2. Add the following chunking_advertise_hosts section. I have included the surrounding sections for reference. Once added, save and exit.
    local_interfaces = {{ exim_local_interfaces }}

    {% if exim_version.stdout | version_compare("4.88",">=") %}
    chunking_advertise_hosts = {{ exim_chunking_advertise_hosts }}
    {%- endif %}

    {% if exim_version.stdout | version_compare("4.87",">=") %}
    add_environment = {{ exim_add_environment }}
    keep_environment = {{ exim_keep_environment }}
    {%- endif %}
  3. Add the following entry to the inventory table of your mailserver database.
    MariaDB [mailserver]> insert into inventory (inventoryItem, configSection, configVariable) values("_default", "exim", "chunking_advertise_hosts");
    Query OK, 1 row affected, 1 warning (0.01 sec)
    Confirm the entry:
    MariaDB [mailserver]> select * from inventory where configSection = 'exim' and ConfigVariable like '%chunk%';
    +-------------+---------------+---------------+--------------------------+-------------+
    | inventoryId | inventoryItem | configSection | configVariable | configValue |
    +-------------+---------------+---------------+--------------------------+-------------+
    | 362 | _default | exim | chunking_advertise_hosts | |
    +-------------+---------------+---------------+--------------------------+-------------+
    1 row in set (0.00 sec)
  4. From your webadmin (https://yourdomain.com/admin), deploy your configurations using the Screenshot_from_2017-11-29_13-19-39.png button available under the Screenshot_from_2017-11-29_13-19-29.png tab.
  5. Once the previous stage is complete. Check your Exim configuration to confirm your changes.
    # grep "chunking" /etc/exim/exim.conf
    chunking_advertise_hosts =

For further information, please find the below as advised by the Exim developers.

A remote code execution vulnerability has been reported in Exim, with
immediate public disclosure (we were given no private notice).
A tentative patch exists but has not yet been confirmed.

With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:

chunking_advertise_hosts =

That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.

This should be a complete workaround. Impact of applying the workaround
is that mail senders have to stick to the traditional DATA verb instead
of using BDAT.

We've requested CVEs. More news will be forthcoming as we get this
worked out.

-Phil

## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##

Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com