Bug 705446 (CVE-2011-1407) - CVE-2011-1407 exim: arbitrary code execution via improper DKIM signature matching
Summary: CVE-2011-1407 exim: arbitrary code execution via improper DKIM signature matc...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2011-1407
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 702475 705448
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-17 17:52 UTC by Vincent Danen
Modified: 2021-02-24 15:27 UTC (History)
5 users (show)

Fixed In Version: exim 4.76
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-11-15 17:07:48 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2011-05-17 17:52:23 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1407 to
the following vulnerability:

Name: CVE-2011-1407
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1407
Assigned: 20110310
Reference: https://lists.exim.org/lurker/message/20110509.091632.daed0206.en.html
Reference: https://lists.exim.org/lurker/message/20110512.102909.8136175a.en.html
Reference: http://www.securityfocus.com/bid/47836

The DKIM implementation in Exim 4.7x before 4.76 permits matching for
DKIM identities to apply to lookup items, instead of only strings,
which allows remote attackers to execute arbitrary code or access a
filesystem via a crafted identity.


Statement:

Not vulnerable. This issue did not affect the versions of exim as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for DKIM.

Comment 1 Vincent Danen 2011-05-17 17:53:18 UTC
Created exim tracking bugs for this issue

Affects: fedora-all [bug 702475]

Comment 2 Vincent Danen 2011-05-17 17:54:09 UTC
Created exim tracking bugs for this issue

Affects: epel-6 [bug 705448]

Comment 3 Vincent Danen 2012-08-10 18:41:15 UTC
Fedora has 4.76 in all supported versions which fixed this flaw, but EPEL6 does not and is vulnerable.

See https://bugzilla.redhat.com/show_bug.cgi?id=702474#c5 for the details on how the wrong CVE name was used in the patch, so while the package implies it fixed this flaw, it did in fact not fix it.

Also, based on:

http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-1407.html

the fix in git is here:

http://git.exim.org/exim.git/blobdiff/337e3505b0e6cd4309db6bf6062b33fa56e06cf8..ae9094bfe313aeb9ffefc7566bd4dae49ada3cf5:/src/src/receive.c

Comment 4 Upen 2013-02-06 15:45:13 UTC
Is this issue also present in postfix-2.6.6-2.2.el6_1.x86_64 on RHEL 6? I received an email from our nessus scanner.

Date: Wed, 11 May 2011 08:18:46 -0500
Message-ID: <BANLkTik2OMre+tACnsPJeLCiuMnigs4NCA.org>
Subject: nessus exim_4_76.nasl
From: <nobody>
To: <postmaster@[a.b.c.d]>
Content-Type: multipart/alternative; boundary=001b24be1bac9c498e04a2ffe9de

raajQ5BfWw27J8Rfer

Comment 5 Vincent Danen 2013-02-06 18:24:23 UTC
Seems that according to http://www.scip.ch/en/?nasldb.53856 you need to be looking in your logs:

NASLDB: Exim < 4.76 dkim_exim_verify_finish() DKIM-Signature Header Format String
[...]
Summary: Tries to trigger a logging error with a specially crafted message

Did you see this logging error?  I don't think an email is an indication of a vulnerability.

See also: http://www.tenable.com/plugins/index.php?view=single&id=53856

This issue, as far as we know, is specific to Exim.  There have been no reports or reason to believe postfix is affected.

Comment 6 Upen 2013-02-08 15:43:21 UTC
Thanks Vincent for that information. Sorry I didn't get update email from bugzilla or did I miss it :/ , so the delay in response.

Here is the log, I don't see the dkim logging error message you mentioned.

Feb  6 08:27:21 emailserver_hostname dovecot: imap-login: Disconnected (no auth attempts): rip=nessus_IP, lip=email_server_IP, TL
S: SSL_read() syscall failed: Connection reset by peer
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: lost connection after CONNECT from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: lost connection after CONNECT from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: lost connection after CONNECT from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: 1CCBE600F3: client=nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/cleanup[3691]: 1CCBE600F3: message-id=<BANLkTik2OMre+tACnsPJeLCiuMnigs4NCA.
org>
Feb  6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 1CCBE600F3: from=<nobody>, size=1855, nrcpt=1 (queue active)
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname dovecot: lmtp(3694): Connect from local
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: master in: USER#0111#011mailroot.com#011service=lmtp
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: ldap(mailroot): user search: base=ou=People,dc=ece,dc=iit scope=subtree f
ilter=(&(objectClass=mailRecipient)(uid=mailroot)) fields=uidNumber,gidNumber,mailquota
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: ldap(mailroot): result: uidNumber(uid)=102 gidNumber(gid)=400 mailquota(q
uota_rule=*:bytes=%$)=*:bytes=1000M
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: master out: USER#0111#011mailroot#011uid=102#011gid=400#011quota_rule=*:b
ytes=1000M#011home=/mail/mailroot
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: lost connection after HELO from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname dovecot: lmtp(3694, mailroot): ykzVCEloElFuDgAAzASPFQ: msgid=<BANLkTik2OMre+tACnsPJeLCiuMnigs4N
CA.org>: saved mail to INBOX
Feb  6 08:27:21 emailserver_hostname dovecot: lmtp(3694): Disconnect from local: Client quit
Feb  6 08:27:21 emailserver_hostname postfix/lmtp[3693]: 1CCBE600F3: to=<mailroot.com>, orig_to=<postmaster@[email_server_IP]>
, relay=emailserver_hostname.my.domain.com[/var/run/dovecot/lmtp], delay=0.07, delays=0.02/0/0.01/0.03, dsn=2.0.0, status=sent (250 2.
0.0 <mailroot.com> ykzVCEloElFuDgAAzASPFQ Saved)
Feb  6 08:27:21 emailserver_hostname dovecot: lmtp(3694): Connect from local
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: master in: USER#0112#011myusername.com#011service=lmtp
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: ldap(myusername): user search: base=ou=People,dc=ece,dc=iit scope=subtree fi
lter=(&(objectClass=mailRecipient)(uid=myusername)) fields=uidNumber,gidNumber,mailquota
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: ldap(myusername): result: uidNumber(uid)=706 gidNumber(gid)=300
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: master out: USER#0112#011myusername#011uid=706#011gid=300#011home=/mail/ugan
dhi
Feb  6 08:27:21 emailserver_hostname dovecot: lmtp(3694, myusername): zkzVCEloElFuDgAAzASPFQ: sieve: msgid=<BANLkTik2OMre+tACnsPJeLCiuM
nigs4NCA.org>: stored mail into mailbox 'INBOX'
Feb  6 08:27:21 emailserver_hostname postfix/pickup[7856]: 328BA600FA: uid=706 from=<nobody>
Feb  6 08:27:21 emailserver_hostname postfix/cleanup[3691]: 328BA600FA: message-id=<BANLkTik2OMre+tACnsPJeLCiuMnigs4NCA.
org>
Feb  6 08:27:21 emailserver_hostname dovecot: lmtp(3694, myusername): zkzVCEloElFuDgAAzASPFQ: sieve: msgid=<BANLkTik2OMre+tACnsPJeLCiuM
nigs4NCA.org>: forwarded to <A.B>
Feb  6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 328BA600FA: from=<nobody>, size=2212, nrcpt=1 (queue active)
Feb  6 08:27:21 emailserver_hostname postfix/pickup[7856]: 36B35600FC: uid=706 from=<nobody>
Feb  6 08:27:21 emailserver_hostname postfix/cleanup[3691]: 36B35600FC: message-id=<BANLkTik2OMre+tACnsPJeLCiuMnigs4NCA.
org>
Feb  6 08:27:21 emailserver_hostname dovecot: lmtp(3694, myusername): zkzVCEloElFuDgAAzASPFQ: sieve: msgid=<BANLkTik2OMre+tACnsPJeLCiuM
nigs4NCA.org>: forwarded to <myusername>
Feb  6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 36B35600FC: from=<nobody>, size=2212, nrcpt=1 (queue active)
Feb  6 08:27:21 emailserver_hostname postfix/lmtp[3693]: 1CCBE600F3: to=<myusername.com>, orig_to=<postmaster@[email_server_IP]>,
 relay=emailserver_hostname.my.domain.com[/var/run/dovecot/lmtp], delay=0.11, delays=0.02/0/0.05/0.04, dsn=2.0.0, status=sent (250 2.0
.0 <myusername.com> zkzVCEloElFuDgAAzASPFQ Saved)
Feb  6 08:27:21 emailserver_hostname dovecot: lmtp(3694): Disconnect from local: Client quit
Feb  6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 1CCBE600F3: removed
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: auth client connected (pid=3712)
Feb  6 08:27:21 emailserver_hostname dovecot: imap-login: Disconnected (no auth attempts): rip=nessus_IP, lip=email_server_IP, TL
S handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Feb  6 08:27:21 emailserver_hostname dovecot: auth: Debug: auth client connected (pid=3713)
Feb  6 08:27:21 emailserver_hostname dovecot: pop3-login: Disconnected (no auth attempts): rip=nessus_IP, lip=email_server_IP, TL
S handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtpd[2482]: setting up TLS connection from nessus_hostname[nessus_IP]
Feb  6 08:27:21 emailserver_hostname postfix/smtp[3709]: 328BA600FA: to=<A.B>, relay=gmail-smtp-in.l.google.com
[74.125.133.26]:25, delay=0.28, delays=0.01/0/0.06/0.21, dsn=2.0.0, status=sent (250 2.0.0 OK 1360160841 b13si1077252igq
.6 - gsmtp)
Feb  6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 328BA600FA: removed
Feb  6 08:27:21 emailserver_hostname postfix/smtp[3711]: 36B35600FC: to=<myusername>, relay=spamblock-1.domain.com[216.47.143.127]
:25, delay=0.36, delays=0.01/0/0.05/0.3, dsn=2.0.0, status=sent (250 Ok: queued as 5A1C733E0E63)
Feb  6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 36B35600FC: removed


Note You need to log in before you can comment on or make changes to this bug.