Bug 1836362 (CVE-2020-12783)

Summary: CVE-2020-12783 exim: out-of-bounds read in the SPA authenticator can lead to SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bennie.joubert, dwmw2, jskarvad, mbenatto, tremble
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: exim 4.94 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in exim in versions through 4.93. An out-of-bounds memory read in the SPA authenticator was found that could result in a SPA/NTLM authentication bypass. The highest threat from this vulnerability is to data confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-20 21:19:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1836363, 1836364    
Bug Blocks: 1836365    

Description Guilherme de Almeida Suckevicz 2020-05-15 17:22:03 UTC
Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.

Reference:
https://bugs.exim.org/show_bug.cgi?id=2571

Upstream commits:
https://git.exim.org/exim.git/commit/57aa14b216432be381b6295c312065b2fd034f86
https://git.exim.org/exim.git/commit/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0

Comment 1 Guilherme de Almeida Suckevicz 2020-05-15 17:22:22 UTC
Created exim tracking bugs for this issue:

Affects: epel-all [bug 1836364]
Affects: fedora-all [bug 1836363]

Comment 6 Todd Cullum 2020-05-20 20:03:00 UTC
Statement:

This flaw does not affect Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, or Red Hat Enterprise Linux 8.

Comment 7 Product Security DevOps Team 2020-05-20 21:19:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12783