gpg: Signature made Fri May 7 01:48:36 2021 UTC
gpg: using DSA key 0E4236CB52951E14536066222099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi,
TL;DR: There's 21 serious security vulnerabilities recently
published for the Exim mail server, 10 of which are remotely
triggerable. Anyone running Exim needs to patch it ASAP or risk
having their server automatically root compromised as soon as an
exploit is cooked up. Which may have happened already.
Details:
https://lwn.net/Articles/855282/
We don't usually post about other vendors' security issues on the
announce@ list but I'm making an exception for this one because Exim
is installed by default on all versions of Debian, and more than
60% of BitFolk customers use some version of Debian.
If you're running Exim you need to upgrade it immediately. Package
updates have already been posted for Debian 9 and 10
(stretch/oldstable and buster/stable). The last time this sort of
thing happened with Exim several customers were automatically
compromised. As it's a root level compromise, if it happens to you
then you will never be sure what exactly what done to your server.
You might end up needing to reinstall it.
Most hosts, unless they are acting as a server listed in one or more
domains' MX records, do not need to be remotely accessible on port
25. If that's the case for you then you would be well advised to
reconfigure Exim to only listen on localhost. Though there are still
11 other vulnerabilities that local users could exploit. At least
you'd only get rooted by a friend, right?
An exploit hasn't been published yet but that doesn't mean that one
doesn't exist, and now that the source changes are public it should
be fairly easy for developers to work out how to do it.
Some of the bugs go back to 2004 so basically every Exim install is
at risk. If you are running a release of Debian prior to version 9
(stretch) then it's out of security support and may not ever see an
updated package for this, so you need to strongly consider turning
off any Exim server and doing an OS upgrade before you turn it back
on.
If you need help, you could reply to this and seek help from other
customers, or BitFolk can help you as a consultancy service, but you
probably don't want to pay consultancy prices and in any moderately
complicated setup our approach is going to be an OS upgrade anyway.
Email support@??? to discuss if still interested in that.
Best of luck with the upgrading!
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
