oss-sec mailing list archives
Re: Exim4 MTA CVEs assigned from ZDI
From: Solar Designer <solar () openwall com>
Date: Fri, 29 Sep 2023 18:59:14 +0200
Hi, Thank you for posting this, Heiko! Also thank you Markus for bringing this up in the other thread: https://www.openwall.com/lists/oss-security/2023/09/29/3 I've attached plain text exports of the ZDI advisories to this message for archival. Out of the Exim Bugzilla entries in Markus' message, only https://bugs.exim.org/show_bug.cgi?id=3001 is currently open to the public, and it says:
Bug 3001 - infoleak in SPA authenticator, client Comment 1 Jeremy Harris 2023-05-11 20:02:32 UTC ZDI-CAN-17433 (Trend Micro) A crafted SPA challenge from the server can cause the client authenticator to read OOB; the data is then returned to the server. Fix: validate the offset contained in the challenge, to avoid reading past the end of the challenge data structure. Vulnerable since at least 4.50, probably longer. Comment 2 Heiko Schlittermann 2023-09-29 16:01:58 UTC should be fixed in 04107e98d58efb69f7e2d7b81176e5374c7098a3
On Fri, Sep 29, 2023 at 06:06:11PM +0200, Heiko Schlittermann wrote:
the ZDI assigned multiple CVEs to the Exim-MTA and published them recently: CVE Link Exim-Bug --------------+---------------------------------------------------------+----- CVE-2023-42114 https://www.zerodayinitiative.com/advisories/ZDI-23-1468/ 3001 fixed CVE-2023-42115 https://www.zerodayinitiative.com/advisories/ZDI-23-1469/ 2999 fixed CVE-2023-42116 https://www.zerodayinitiative.com/advisories/ZDI-23-1470/ 3000 fixed CVE-2023-42117 https://www.zerodayinitiative.com/advisories/ZDI-23-1471/ CVE-2023-42118 https://www.zerodayinitiative.com/advisories/ZDI-23-1472/ CVE-2023-42119 https://www.zerodayinitiative.com/advisories/ZDI-23-1473/ The ZDI contacted us in June 2022. We asked about details but didn't get answers we were able to work with. Next contact with ZDI was in May 2023. Right after this contact we created project bug tracker for 3 of the 6 issues. 2 high scored of them are fixed (OOB access). A minor scored (info leak) is fixed too. Fixes are available in a protected repository and are ready to be applied by the distribution maintainers.
Are distros allowed to make their updates public as soon as they can (presumably after requesting access to the protected repository)? I suggest that you set a specific date/time e.g. in 2 days from now when both the Exim project will make the repo and the fixed bug entries (2999 and 3000) public _and_ distros will release updates.
The remaining issues are debatable or miss information we need to fix them. We're more than happy to provide fixes for all issues as soon as we receive detailed information.
Are you actively requesting such information from ZDI now? This looks like sloppy handling of these issues so far by both ZDI and Exim - neither team pinging the other for 10 months, then Exim taking 4 months to fix even the 2 high-scored issues it did have sufficient info on. What are you doing to improve the handling from this point on? Thanks again, Alexander
Attachment:
ZDI-23-1468-ZDI-CAN-17433-CVE-2023-42114.txt
Description:
Attachment:
ZDI-23-1469-ZDI-CAN-17434-CVE-2023-42115.txt
Description:
Attachment:
ZDI-23-1470-ZDI-CAN-17515-CVE-2023-42116.txt
Description:
Attachment:
ZDI-23-1471-ZDI-CAN-17554-CVE-2023-42117.txt
Description:
Attachment:
ZDI-23-1472-ZDI-CAN-17578-CVE-2023-42118.txt
Description:
Attachment:
ZDI-23-1473-ZDI-CAN-17643-CVE-2023-42119.txt
Description:
Current thread:
- Multiple Exim4 Zero Days Markus Gschwendt (Sep 29)
- Re: Multiple Exim4 Zero Days Alex Gaynor (Sep 29)
- Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Sep 29)
- Re: Exim4 MTA CVEs assigned from ZDI Solar Designer (Sep 29)
- RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Sep 29)
- Re: Exim4 MTA CVEs assigned from ZDI Solar Designer (Sep 29)