Author: Nigel Rantor Date: To: users Subject: Re: [bitfolk] 21 critical Exim security issues need addressing
Thank you so much for this.
n
On 07/05/2021 02:48, Andy Smith wrote: > Hi,
>
> TL;DR: There's 21 serious security vulnerabilities recently
> published for the Exim mail server, 10 of which are remotely
> triggerable. Anyone running Exim needs to patch it ASAP or risk
> having their server automatically root compromised as soon as an
> exploit is cooked up. Which may have happened already.
>
> Details: https://lwn.net/Articles/855282/ >
> We don't usually post about other vendors' security issues on the
> announce@ list but I'm making an exception for this one because Exim
> is installed by default on all versions of Debian, and more than
> 60% of BitFolk customers use some version of Debian.
>
> If you're running Exim you need to upgrade it immediately. Package
> updates have already been posted for Debian 9 and 10
> (stretch/oldstable and buster/stable). The last time this sort of
> thing happened with Exim several customers were automatically
> compromised. As it's a root level compromise, if it happens to you
> then you will never be sure what exactly what done to your server.
> You might end up needing to reinstall it.
>
> Most hosts, unless they are acting as a server listed in one or more
> domains' MX records, do not need to be remotely accessible on port
> 25. If that's the case for you then you would be well advised to
> reconfigure Exim to only listen on localhost. Though there are still
> 11 other vulnerabilities that local users could exploit. At least
> you'd only get rooted by a friend, right?
>
> An exploit hasn't been published yet but that doesn't mean that one
> doesn't exist, and now that the source changes are public it should
> be fairly easy for developers to work out how to do it.
>
> Some of the bugs go back to 2004 so basically every Exim install is
> at risk. If you are running a release of Debian prior to version 9
> (stretch) then it's out of security support and may not ever see an
> updated package for this, so you need to strongly consider turning
> off any Exim server and doing an OS upgrade before you turn it back
> on.
>
> If you need help, you could reply to this and seek help from other
> customers, or BitFolk can help you as a consultancy service, but you
> probably don't want to pay consultancy prices and in any moderately
> complicated setup our approach is going to be an OS upgrade anyway.
> Email support@??? to discuss if still interested in that.
>
> Best of luck with the upgrading!
> Andy
>
>
> _______________________________________________
> announce mailing list
> announce@???
> https://lists.bitfolk.com/mailman/listinfo/announce >
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users >
