Multiple Vulnerabilities in Exim

Voltar à Visão geral dos comunicados de segurança
High
CVE
CVE-2023-42114
CVE-2023-42115
CVE-2023-42116
CVE-2023-42117
CVE-2023-42118
CVE-2023-42119
Updated:
Produto(s)
Sophos Firewall
Sophos UTM
ID da publicação sophos-sa-20231005-exim-vuln
Versão do artigo 1
Primeira publicação
Solução alternativa Yes

Overview

Multiple CVEs for the Exim mailer software, a widely used open-source message transfer agent (MTA), have been disclosed. One of the disclosed vulnerabilities impacts customers using email protection in MTA mode with the Sender Policy Framework (SPF) enabled. If exploited, this vulnerability may lead to remote code execution (RCE).

Sophos Firewall customers not licensed for email protection, those using legacy mode (transparent email proxy) for email, and those with Sender Policy Framework disabled are not vulnerable.

SG UTM customers not using email protection are not vulnerable.

Applies to the following Sophos product(s) and version(s)

  • Sophos Firewall
  • Sophos SG UTM

CVE ID

Comments

CVE-2023-42114

Not vulnerable because the SPA (NTLM) authentication method required to exploit is not used in Sophos Firewall and SG UTM

CVE-2023-42115

Not vulnerable because the EXTERNAL authentication method required to exploit is not used in Sophos Firewall and SG UTM

CVE-2023-42116

Not vulnerable because the SPA (NTLM) authentication method required to exploit is not used in Sophos Firewall and SG UTM

CVE-2023-42117

Not vulnerable because the proxy-protocol support required to exploit is not used in Sophos Firewall and SG UTM

CVE-2023-42118

Vulnerable

CVE-2023-42119

Under investigation

 

Remediation

  • Sophos Firewall
    • October 4, 2023: A hotfix for Sophos Firewall was released to remediate CVE-2023-42118 for the following versions
      • v20 EAP1, v19.5 GA/MR1/MR2/MR3, 19.0 GA/MR1/MR2/MR3, 18.5 MR4/MR5
  • SG UTM
    • October 10, 2023: Fix included in SG UTM v9.717 MR17
  • Sophos always recommends that customers upgrade to the latest available version of Sophos Firewall and SG UTM

 

How to verify the hotfix has been applied to Sophos Firewall

  • Login to the SSH session of Sophos Firewall and go to options "5" and "3" (Advanced Console"
  • Change directory to /log with command: cd /log
  • Search for the HF filename in u2d.log with the following command: grep "sfsysupdate_NC-125369" u2d.log"

 

Workaround

A workaround requires the SPF to be disabled.  You will only need to disable SPF on Sophos Firewall and SG UTM until the hotfix or patch is applied to your device.  Once applied, SPF can be re-enabled.

Disable SPF using the following steps:

  • Sophos Firewall
    • Turn off SPF in all (MTA mode) SMTP policies under "Email >> Policies & exceptions >> [edit policy] >> Spam protection >> Reject based on SPF".
  • SG UTM
    • Turn off SPF in all SMTP profiles under "Email Protection >> SMTP >> Antispam >> Perform SPF check" and “Email Protection >> SMTP Profiles >> [edit profile] >> BATV/RDNS/HELO/SPF/Greylisting >> Perform SPF check" when in profiles mode.

 

Related Information

  • CVE-2023-42114 Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability, CVSS SCORE: 3.7
  • CVE-2023-42115 Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability, CVSS SCORE: 9.8
  • CVE-2023-42116 Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability, CVSS SCORE: 8.1
  • CVE-2023-42117 Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability, CVSS SCORE: 8.1
  • CVE-2023-42118 Exim libspf2 Integer Underflow Remote Code Execution Vulnerability, CVSS SCORE: 7.5
  • CVE-2023-42119 Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability, CVSS SCORE: 3.1