back to article Exim marks the spot… of remote code execution: Patch due out today for 'give me root' flaw in mail server

The widely used Exim email server software is due to be patched today to close a critical security flaw that can be exploited to potentially gain root-level access to the machine. The programming blunder can be abused over the network, or internet if the server is public facing, or by logged-in users to completely commandeer …

  1. john.jones.name
    Go

    enable DANE

    best options

    SUPPORT_DANE=yes

    dnssec_request_domains = *

    hosts_try_dane = *

    1. Greem

      Re: enable DANE

      This is not a solution to the issue at hand; whilst it has use in other contexts, it will not in any way prevent your system from the bug that's been patched today (unless you've found something that hasn't been discussed).

      Mitigation if you cannot patch: do not offer TLS to connecting hosts at that prevents the vulnerable code path being hit*. Additionally, Heiko has provided additional mitigation on the exim-users mailing list which prevents acceptance (and writing to spool) of messages with 'dangerous' SNI values.

      *this is not recommended, but is a quick and dirty hack while you patch/wait for updates.

  2. Gordon Shumway
    Devil

    And this

    is why, by now, all of us use AppArmor (or SELinux, or whatever). Because we all do, right?

  3. John 104

    Windows Haters

    And where, exactly, are all the Windows haters?

    Just goes to show you, vulnerabilities exist on any platform.

    1. ghp

      Re: Windows Haters

      But some are more equal than others.

      Btw, viva sendmail!

    2. Throatwarbler Mangrove Silver badge
      Windows

      Re: Windows Haters

      But it's different when it's Windows because Microsoft.

      1. Anonymous Coward
        Anonymous Coward

        Because Microsoft

        because Microsoft inherited the crown of smugness from IBM, GoT-style with a royal shaft up the dorsal os, then taxed the peasants for years, producing just a bit of sullenness and few uprisings, and not a few folk sayings about geeks bearing business plans.

    3. eldakka Silver badge

      Re: Windows Haters

      This isn't an operating system problem. It's not an issue with Linux. It's an issue with a 3rd party application that is running on linux.

      Hating on Linux for this would be like hating on Windows for a Macafee vulnerability, or for the recent steam escalation of privilege vulnerability, or Lenovo's 'user experience' software that puts a TLS MITM proxy on their PCs.

      1. Anonymous Coward
        Anonymous Coward

        Re: Windows Haters

        Just, not a few distro look to install an Exim instance by default.

        And anyway, if had it been a bug in Exchange, we would have seen the MS bashing crowd at full steam.

        1. Roland6 Silver badge

          Re: Windows Haters

          >Just, not a few distro look to install an Exim instance by default.

          Yes, it took a little digging to find out that Exim is the default MTA in Debian and potentially other distributions, hence I suspect for many users/admins they don't actually realise they are running Exim and hence are vulnerable...

    4. Anonymous Coward
      Devil

      Re: Windows Haters

      @John 104: "And where, exactly, are all the Windows haters?"

      speak of the devil :]

      https://forums.theregister.co.uk/forum/all/2019/09/06/exim_vulnerability_patch/

      1. robidy

        Re: Windows Haters

        Wrong link ha ha, try -

        https://www.youtube.com/watch?v=dQw4w9WgXcQ

  4. Trixr Bronze badge

    best option

    yum remove exim

    yum install postfix

    I really don't know why anyone continues to use it. Then again, Sendmail is still everywhere, and it's even worse.

    Postfix is secure by design and relatively easy to configure. Yes, there's jiggery-pokerty with SPF etc, but that happens with any MTA and if you don't understand the basic options, you shouldn't be running an MTA. And it's easy to configure for SElinux!

    OpenSMTPD looks like it's worth a look as well, with perhaps a little less of a learning curve compared to Postfix (which it was obviously inspired by) for the more advanced options. But maybe a little less flexilbity overall. Haven't used it myself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019