A security vulnerability in Exim

News and announcements regarding Debian and the forum. Not for support questions.

A security vulnerability in Exim

Postby Telemachus » 2010-12-12 21:09

"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
User avatar
Telemachus
 
Posts: 4677
Joined: 2006-12-25 15:53

Re: A security vulnerability in Exim

Postby neddie » 2010-12-13 09:24

I have exim4 installed, but have never heard of it before. How do I know whether it's actually running, or if it can be removed? Is it required for the internal mail server (which as far as I know I never use) or is it only really running if it's set up to receive mail from outside?
User avatar
neddie
 
Posts: 380
Joined: 2009-09-14 07:57

Re: A security vulnerability in Exim

Postby BenB » 2010-12-13 09:42

Exim could possibly be used as an SMTP relay on your system. If certain ports are open and exim's configurations aren't done properly this is a valid risk with it on your system. What it could enable is spammers using your system to post mail from and spoof.

I believe however, the default exim light which is pre-installed is set up and configured properly to avoid this. There was just an update via Update Manager which possibly included a security fix for exim. Given this I'd hazard you've little to be concerned about. Granted, I'm not a guru yet so please allow someone more knowledgeable to correct me, and or offer better advice.
In the confrontation between the stream and the rock, the stream always
wins - not through strength, but through persistence. - Anonymous
User avatar
BenB
 
Posts: 51
Joined: 2009-12-21 22:36
Location: WV

Re: A security vulnerability in Exim

Postby Telemachus » 2010-12-13 12:33

It's installed by default on many Debian machines (Exim4 is the default MTA, and some MTA is required for cron and such programs). However, it is almost certainly not running as a true external mailserver if you've never touched it. (That is, it's not listening on any open ports.)

That said, a security update just came through, and you should install it. To check if you have, you can follow this advice (from one of the links above):

Bytemark wrote:In order to check and fix a vulnerable server, you will need root shell access and about 10 minutes.

To check what version your server is running, run:

Code: Select all
/usr/sbin/exim -bV

You're safe if any of the following is true:

  • The version is 4.70 or later;
  • The build date is Friday 10th December 2010 or later;
  • It says "No such file or directory" (i.e. you don't run exim).
"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
User avatar
Telemachus
 
Posts: 4677
Joined: 2006-12-25 15:53

Re: A security vulnerability in Exim

Postby neddie » 2010-12-13 14:44

Thanks for the extra info - at least I know I can't remove it without breaking stuff.
Your exim -bv command didn't show me any version number, it just gave me a ">" prompt, but dpkg tells me I've got 4.69-9 (not 4.70 or later as you say), and that matches the numbers in the first link you sent.
User avatar
neddie
 
Posts: 380
Joined: 2009-09-14 07:57

Re: A security vulnerability in Exim

Postby MeanDean » 2010-12-13 15:36

The cron package does not depend on an MTA although it does suggest it. So I wouldn't say cron needs an MTA to be functional but would obviously need one to send mail out. Whether or not it needs an MTA to 'send' mail on the local machine is something I am not sure of....anyone ever checked?


I do not use cron so I do not bother with having cron installed or any MTA either.
User avatar
MeanDean
 
Posts: 3953
Joined: 2007-09-01 01:14

Re: A security vulnerability in Exim

Postby tnnn » 2010-12-13 17:13

neddie wrote:Your exim -bv command didn't show me any version number, it just gave me a ">" prompt,

That is because -bv != -bV (man says that -bv is also a valid switch - just for something else).
It appears that [ code ] block lowercases it - just try copying it and you will get a proper command (/usr/sbin/exim -bV).
tnnn
 
Posts: 5
Joined: 2010-11-20 21:37

Re: A security vulnerability in Exim

Postby Telemachus » 2010-12-13 18:51

tnnn wrote:
neddie wrote:Your exim -bv command didn't show me any version number, it just gave me a ">" prompt,

That is because -bv != -bV (man says that -bv is also a valid switch - just for something else).

Good eye.

tnnn wrote:It appears that [ code ] block lowercases it - just try copying it and you will get a proper command (/usr/sbin/exim -bV).

Really? When I select the text (manually or using the "select all" button, the uppercase V stays uppercase.

@Dean I remembered it being a requirement, not a suggestion, but you may be absolutely right. Cron does need something to send local mail, I believe, but certainly not Exim4.

I usually switch to a smaller, lighter SMTP agent, like msmtp or esmtp or ssmtp.
"We have not been faced with the need to satisfy someone else's requirements, and for this freedom we are grateful."
Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System
User avatar
Telemachus
 
Posts: 4677
Joined: 2006-12-25 15:53

Re: A security vulnerability in Exim

Postby MeanDean » 2010-12-13 19:19

....you could just redirect the output to a log file (or even /dev/null) and skip the email stuff
User avatar
MeanDean
 
Posts: 3953
Joined: 2007-09-01 01:14

Re: A security vulnerability in Exim

Postby tnnn » 2010-12-13 19:43

Telemachus wrote:
tnnn wrote:It appears that [ code ] block lowercases it - just try copying it and you will get a proper command (/usr/sbin/exim -bV).
Really? When I select the text (manually or using the "select all" button, the uppercase V stays uppercase.

Sorry, maybe I was a bit unclear. When you copy it (either by ctrl+c or "select all" option) it works fine as it copies V as it should be - in uppercase. However, if you are too lazy to use the copy function and just type it by hand, you will probably type it incorrectly because [ code ] displays it in lowercase.

And BTW - since exim4 seems to be a part of a default installation, I'd consider pointing it out in the original post (or even thread title).
tnnn
 
Posts: 5
Joined: 2010-11-20 21:37

Re: A security vulnerability in Exim

Postby neddie » 2010-12-13 21:04

tnnn wrote:That is because -bv != -bV
D'oh. good spot. Ok, so -bV also says 4.69, not 4.70 or later, but I'm assuming this is still ok.
User avatar
neddie
 
Posts: 380
Joined: 2009-09-14 07:57

Re: A security vulnerability in Exim

Postby oOarthurOo » 2010-12-13 21:30

If you don't use it, lose it.
oOarthurOo
 
Posts: 545
Joined: 2008-10-25 12:00
Location: Canada

Re: A security vulnerability in Exim

Postby BioTube » 2010-12-13 22:11

tnnn wrote:Sorry, maybe I was a bit unclear. When you copy it (either by ctrl+c or "select all" option) it works fine as it copies V as it should be - in uppercase. However, if you are too lazy to use the copy function and just type it by hand, you will probably type it incorrectly because [ code ] displays it in lowercase.
It's in uppercase; V's just not one of those letters that makes it obvious.
Image
Ludwig von Mises wrote:The elite should be supreme by virtue of persuasion, not by the assistance of firing squads.
User avatar
BioTube
 
Posts: 7551
Joined: 2007-06-01 04:34

Re: A security vulnerability in Exim

Postby tnnn » 2010-12-14 00:25

BioTube wrote:It's in uppercase; V's just not one of those letters that makes it obvious.

You are correct, my bad. Those who can't read, have to read man ;)
tnnn
 
Posts: 5
Joined: 2010-11-20 21:37

Re: A security vulnerability in Exim

Postby raboof » 2010-12-19 16:55

It seems several people are having trouble with the macro expansion of among others MAIN_RELAY_NETS and ETC_MAILNAME in the security-fixed package.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607542

In all cases I've seen so far the machine was rooted as described at http://www.reddit.com/r/netsec/comments ... led_on_my/
raboof
 
Posts: 67
Joined: 2008-08-02 10:47

Next

Return to News & Announcements

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable