Multiple Vulnerabilities in Exim

Sophos Security Advisory

Multiple Vulnerabilities in Exim
Anthony.Merry

Summary

Overview

Multiple CVEs for the Exim mailer software, a widely used open-source message transfer agent (MTA), have been disclosed. One of the disclosed vulnerabilities impacts customers using email protection in MTA mode with the Sender Policy Framework (SPF) enabled. If exploited, this vulnerability may lead to remote code execution (RCE).

Sophos Firewall customers not licensed for email protection, those using legacy mode (transparent email proxy) for email, and those with Sender Policy Framework disabled are not vulnerable.

SG UTM customers not using email protection are not vulnerable.

Applies to the following Sophos product(s) and version(s)

  • Sophos Firewall
  • Sophos SG UTM
CVE IDComments
CVE-2023-42114Not vulnerable because the SPA (NTLM) authentication method required to exploit is not used in Sophos Firewall and SG UTM
CVE-2023-42115Not vulnerable because the EXTERNAL authentication method required to exploit is not used in Sophos Firewall and SG UTM
CVE-2023-42116Not vulnerable because the SPA (NTLM) authentication method required to exploit is not used in Sophos Firewall and SG UTM
CVE-2023-42117Not vulnerable because the proxy-protocol support required to exploit is not used in Sophos Firewall and SG UTM
CVE-2023-42118Vulnerable
CVE-2023-42119Under investigation

Remediation

  • Sophos Firewall
    • October 4, 2023: A hotfix for Sophos Firewall was released to remediate CVE-2023-42118 for the following versions
      • v20 EAP1, v19.5 GA/MR1/MR2/MR3, 19.0 GA/MR1/MR2/MR3, 18.5 MR4/MR5
  • SG UTM
    • An update to SG UTM will be released to patch this vulnerability. The expected release date is October 17, 2023.
  • Sophos always recommends that customers upgrade to the latest available version of Sophos Firewall and SG UTM

How to verify the hotfix has been applied to Sophos Firewall

  • Login to the SSH session of Sophos Firewall and go to options “5” and “3” (Advanced Console”
  • Change directory to /log with command: cd /log
  • Search for the HF filename in u2d.log with the following command: grep “sfsysupdate_NC-125369″ u2d.log”

Workaround

A workaround requires the SPF to be disabled.  You will only need to disable SPF on Sophos Firewall and SG UTM until the hotfix or patch is applied to your device.  Once applied, SPF can be re-enabled.

Disable SPF using the following steps:

  • Sophos Firewall
    • Turn off SPF in all (MTA mode) SMTP policies under “Email >> Policies & exceptions >> [edit policy] >> Spam protection >> Reject based on SPF”.
  • SG UTM
    • Turn off SPF in all SMTP profiles under “Email Protection >> SMTP >> Antispam >> Perform SPF check” and “Email Protection >> SMTP Profiles >> [edit profile] >> BATV/RDNS/HELO/SPF/Greylisting >> Perform SPF check” when in profiles mode.

Related Information

  • CVE-2023-42114 Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability, CVSS SCORE: 3.7
  • CVE-2023-42115 Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability, CVSS SCORE: 9.8
  • CVE-2023-42116 Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability, CVSS SCORE: 8.1
  • CVE-2023-42117 Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability, CVSS SCORE: 8.1
  • CVE-2023-42118 Exim libspf2 Integer Underflow Remote Code Execution Vulnerability, CVSS SCORE: 7.5
  • CVE-2023-42119 Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability, CVSS SCORE: 3.1
Severity
High
First Published
Updated
Publication ID
sophos-sa-20231005-exim-vuln
Workaround
Yes
Sophos Firewall
Sophos UTM
CVE-2023-42114
CVE-2023-42115
CVE-2023-42116
CVE-2023-42117
CVE-2023-42118
CVE-2023-42119
Article Version
1

READ MORE