Critical Vulnerability to be Found in Exim

Vulnerability, allowing remote code executing can be exploited from 4.87 to 4.91 version, but it was fixed in version 4.92, released February
07 June 2019   398

In Exim mail server, a critical vulnerability (CVE-2019-10149) was identified ,which could lead to remote code execution on the server with root privileges when processing a specially created request. The possibility of exploiting the problem is noted in versions 4.87 through 4.91 inclusive or when building with the EXPERIMENTAL_EVENT option.

In the default configuration, an attack can be accomplished without any complications by the local user, as the "verify = recipient" ACL is used, which performs additional checks for external addresses. Making a remote attack is possible when changing settings, for example, when working as a secondary MX for another domain, removing the verify = recipient ACL or certain changes in local_part_suffix). Remote attack is also possible if an attacker can keep the connection to the server open for 7 days (for example, sending one byte per minute to bypass the break on timeout). At the same time, it is not excluded that there are simpler attack vectors for remote operation of the problem.

The vulnerability is caused by incorrect verification of the recipient address in the deliver_message () function defined in the /src/deliver.c file. Through the manipulation of address formatting, an attacker can achieve the substitution of his data into the arguments of a command called through theexecv () function with root rights. Operation does not require the use of complex techniques used in case of buffer overflows or memory corruption; simply substituting characters is enough.

The problem is connected with the use of the following construction for address translation:

         deliver_localpart = expand_string (
                       string_sprintf ("$ {local_part:% s}", new-> address));
         deliver_domain = expand_string (
                       string_sprintf ("$ {domain:% s}", new-> address));

The expand_string () function is an overcomplicated combine that recognizes the "$ {run {command arguments}" command, which causes the external handler to start. Thus, for an attack in an SMTP session, it is enough for a local user to send a command like 'RCPT TO "username + $ {run {...}} @ localhost"', where localhost is one of the hosts in the local_domains list, and username is the name of an existing local user .

If the server works as a mail relay, remotely send the command 'RCPT TO "$ {run {...}} @"', where is one of the hosts listed in therelay_to_domains configuration section. Since, by default, Exim does not use privilege reset mode (deliver_drop_privilege = false), the commands passed via "$ {run {...}}" will be executed as root.

It is noteworthy that the vulnerability was eliminated in the release 4.92, released in February, without emphasizing that a fix could lead to security problems. There is no reason to believe that Exim developers was specialy trying to type the vulnerability, since the problem was resolved during the correction of the malfunction caused by the transfer of incorrect addresses, and the vulnerability was identified by Qualys during an audit of changes to Exim.

Vulnerabilities in Linux & FreeBSD TCP Stacks Detected

There are four vulnerabilities, which are marked as critical by the specialists
18 June 2019   105

Netflix has identified several critical vulnerabilities in the Linux and FreeBSD TCP stacks that allow to remotely initiate a kernel crash or cause excessive resource consumption when processing specially crafted TCP packets (packet-of-death). Problems are caused by errors in the handlers of the maximum size of the data block in the TCP packet (MSS, Maximum segment size) and the mechanism for selective acknowledgment of connections (SACK, TCP Selective Acknowledgment).

CVE-2019-11477 A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. 

Fragments are saved when a packet loss occurs or the need for selective retransmission of packets, if SACK is enabled and TSO is supported by the driver. With a minimum MSS, only 8 bytes are allocated for one data segment, respectively, the number of segments required to send all data increases, and the structure can reach a limit of 17 fragments. To protect against overflow, there is a check in the code that calls the BUG_ON () function and puts the kernel in the panic state.

CVE-2019-11478 (SACK Slowness) It is possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. On Linux kernels prior to 4.15, an attacker may be able to further exploit the fragmented queue to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.

CVE-2019-5599 (SACK Slowness) It is possible to send a crafted sequence of SACKs which will fragment the RACK send a map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.

CVE-2019-11479 -An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data. Further, it consumes additional resources (CPU and NIC processing power). This attack requires continued effort from the attacker and the impacts will end shortly after the attacker stops sending traffic.

Get more info on the vulnerabilities, walkarounds and fixes at openwall.