[Spce-user] Multiple vulnerability issues on exim4 packages: 3 RCEs (Remote Code Executions)

Alex Lutay alutay at sipwise.com
Wed May 5 09:00:41 EDT 2021


Dear community,

We would like to highlight that critical security fixes for the
'exim4' project have been released and we strongly recommend
upgrading the package as soon as possible. Qualys Research Labs
reported several vulnerabilities in Exim, a mail transport agent,
which could result in local privilege escalation and remote code
execution.

Details can be found in the Qualys advisory at
https://www.qualys.com/2021/05/04/21nails/21nails.txt

For the stable distribution Debian 10 (buster), these problems have been 
fixed in version 4.92-8+deb10u6.
For the old stable distribution Debian 9 (stretch), these problems have 
been fixed in version 4.89-2+deb9u8.
The following NGCP releases use Debian 10 (buster):
     - mr7.5.x
     - mr8.5.x
     - mr9.y.x
The following NGCP releases use Debian 9 (stretch):
    - mr6.5.x
We strongly recommend that you upgrade the exim4 packages.

For the detailed security status of exim4 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/exim4

How to check whether the system is still affected

1. Check your NGCP and Debian versions:
> # cat /etc/ngcp_version
> # lsb_release -a


2. Check the package version installed:
> # dpkg -l "*exim*"| grep ^ii


3. Check the table in 
https://security-tracker.debian.org/tracker/source-package/exim4 
corresponding to your Debian release.
If your package version is equal (or greater) to the "fixed"
Version your are not affected anymore. If your version is equal to
the corresponding Version with "vulnerable" Status, you need to
upgrade the packages to the next Version with "Fixed" status
corresponding to your Debian Release.


How to upgrade the packages:

a. You should run the following command:
> # apt-get update

b. Check whether the "fixed" version is available for your Debian release:
> # apt-cache policy exim4


c. If so, upgrade all the exim4* packages listed in previous point 2, 
example:
> # root at spce:/var/sipwise# dpkg -l "*exim*" | grep ^ii
> ii  exim4                  4.92-8+deb10u4 all          metapackage to ease Exim MTA (v4) installation
> ii  exim4-base             4.92-8+deb10u4 amd64        support files for all Exim MTA (v4) packages
> ii  exim4-config           4.92-8+deb10u4 all          configuration for the Exim MTA (v4)
> ii  exim4-daemon-light     4.92-8+deb10u4 amd64        lightweight Exim MTA (v4) daemon


In this case you should run:
> # apt-get -o Dpkg::Options::=--force-confold install exim4 exim4-base exim4-config exim4-daemon-light
> # service exim4 restart


You can safely upgrade exim packages during on-peak hours, as this 
activity will not have any impact on the system functionality, thus call 
functionality and features remain intact.

-- 
Alex Lutay



More information about the Spce-user mailing list