Critical Vulnerability to be Found in Exim

Vulnerability, allowing remote code executing can be exploited from 4.87 to 4.91 version, but it was fixed in version 4.92, released February
07 June 2019   625

In Exim mail server, a critical vulnerability (CVE-2019-10149) was identified ,which could lead to remote code execution on the server with root privileges when processing a specially created request. The possibility of exploiting the problem is noted in versions 4.87 through 4.91 inclusive or when building with the EXPERIMENTAL_EVENT option.

In the default configuration, an attack can be accomplished without any complications by the local user, as the "verify = recipient" ACL is used, which performs additional checks for external addresses. Making a remote attack is possible when changing settings, for example, when working as a secondary MX for another domain, removing the verify = recipient ACL or certain changes in local_part_suffix). Remote attack is also possible if an attacker can keep the connection to the server open for 7 days (for example, sending one byte per minute to bypass the break on timeout). At the same time, it is not excluded that there are simpler attack vectors for remote operation of the problem.

The vulnerability is caused by incorrect verification of the recipient address in the deliver_message () function defined in the /src/deliver.c file. Through the manipulation of address formatting, an attacker can achieve the substitution of his data into the arguments of a command called through theexecv () function with root rights. Operation does not require the use of complex techniques used in case of buffer overflows or memory corruption; simply substituting characters is enough.

The problem is connected with the use of the following construction for address translation:

         deliver_localpart = expand_string (
                       string_sprintf ("$ {local_part:% s}", new-> address));
         deliver_domain = expand_string (
                       string_sprintf ("$ {domain:% s}", new-> address));

The expand_string () function is an overcomplicated combine that recognizes the "$ {run {command arguments}" command, which causes the external handler to start. Thus, for an attack in an SMTP session, it is enough for a local user to send a command like 'RCPT TO "username + $ {run {...}} @ localhost"', where localhost is one of the hosts in the local_domains list, and username is the name of an existing local user .

If the server works as a mail relay, remotely send the command 'RCPT TO "$ {run {...}} @"', where is one of the hosts listed in therelay_to_domains configuration section. Since, by default, Exim does not use privilege reset mode (deliver_drop_privilege = false), the commands passed via "$ {run {...}}" will be executed as root.

It is noteworthy that the vulnerability was eliminated in the release 4.92, released in February, without emphasizing that a fix could lead to security problems. There is no reason to believe that Exim developers was specialy trying to type the vulnerability, since the problem was resolved during the correction of the malfunction caused by the transfer of incorrect addresses, and the vulnerability was identified by Qualys during an audit of changes to Exim.

Linux 5.3 Kernel to be Released

Huge amount of updates, improvements, changes and new features awaits all Linux users
17 September 2019   258

After two months of development, Linus Torvalds introduced the Linux 5.3 kernel release. Among the most notable changes: support for AMD Navi GPUs, Zhaoxi processors, and Intel Speed ​​Select power management technology, the ability to use umwait instructions to wait without using loops, increasing the interactivity utilization clamping mode for asymmetric CPUs, the pidfd_open system call, the ability to use IPv4 addresses from the subnet, the possibility of hardware acceleration of nftables, support for HDR in the DRM subsystem, integration of the ACRN hypervisor.

In the announcement of the new release, Linus reminded all developers of the main rule of kernel development - maintaining the invariance of behavior for user space components. Changes in the kernel should in no way violate already running applications and lead to user-level regressions. At the same time, a violation of behavior can cause not only a change in the ABI, removal of outdated code or errors, but also an indirect effect of correctly working useful improvements. As a good example, the useful optimization in Ext4 code was discarded, which reduces the number of accesses to the drive by disabling the read-ahead inode table for small I / O requests.

Optimization has led to the fact that, due to a decrease in disk activity, the entropy for the random number generator getrandom () began to accumulate more slowly and in some configurations, under certain circumstances, there could be hangs during loading until the entropy pool is full. Since the optimization is really useful, a discussion arose among the developers, in which it was proposed to eliminate the problem by disabling the default blocking mode of the getrandom () call with the addition of an optional flag to wait for entropy, but such a change will affect the quality of random numbers at the initial stage of loading. In the change rollback commit, Linus noted that he plans to bring the optimization back as soon as the problem with getrandom () is resolved.

The new version adopted 15794 patches from 1974 developers, the patch size is 92 MB (the changes affected 13986 files, 258419 lines of code were added, 599137 lines were deleted). About 39% of all the changes presented in 5.3 are related to device drivers, about 12% of changes are related to updating the code specific to hardware architectures, 11% are connected to the network stack, 3% to file systems and 3% to internal kernel subsystems.

Get more information about the new features and from the mailing.