About Archive Tags RSS Feed

 

The remote root hole in exim4 is painful

12 December 2010 21:50

Recently I noticed a report of an alleged remote root security compromise of a machine, via the exim mailserver.

At the time I wasn't sure how seriously to take it, but I followed updates on the thread and it soon became clear that there was a major problem on our hands.

It later became obvious that there were two problems:

CVE-2010-4344

A remote buffer overflow, allowing the execution of arbitrary code as the user Debian-exim.

CVE-2010-4345

A privilege escelation allowing the attacker to jump from running code as Debian-exim to running code as root.

Trivial exploits are floating around the internet - and we were seeing this bug be exploited in the wild as early as yesterday afternoon.

Although I can feel somewhat smug that my own personal server is running qpsmtpd ahead of exim it's still a wake-up call, and this hole has the potential to significantly expand available botnets - it is probably only a matter of days hours until we see worms taking advantage of the flaw.

ObPlug: I've put together an updated version of exim4 for etch - if you're still running etch then you don't have any official security support (timely upgrading is obviously preferred) and it might be useful to have more folk pointed at that..

ObQuote: "We're all going to die down here" - Resident Evil.

| 7 comments

 

Comments on this entry

icon Iain at 11:56 on 12 December 2010

> ObPlug: I've put together an updated version of exim4 for etch

You are a gentleman, sir, and a scholar.

icon Tim Dobson at 12:33 on 12 December 2010
http://tdobson.net/

Oh, this does look like fun! :P

icon niq at 13:08 on 12 December 2010
http://bahumbug.wordpress.com/

Last time I looked at mailservers with an open mind I dismissed exim because it involved running a 'net-facing daemon as a privileged user. Qmail and later postfix had demonstrated that we can do better!

Do I take it nothing significant has changed?

icon Steve Kemp at 13:23 on 12 December 2010
http://www.steve.org.uk/

Iain - I'm just glad if it helps.

Tim - Get to work!

Niq - Exim4 is still monolithic, and the same as it was years ago. But here is not really the place to debate about which MTA is best.

icon @ndy at 16:42 on 12 December 2010
http://www.ashurst.eu.org/

Hi,

Thanks ever so much for this.

@

icon Fredrik at 19:42 on 12 December 2010
http://bredband2.se

Thanks for updated exim etch package.

icon Matthew W.S. Bell at 00:29 on 13 December 2010

Affects <4.70.