Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1407 to the following vulnerability: Name: CVE-2011-1407 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1407 Assigned: 20110310 Reference: https://lists.exim.org/lurker/message/20110509.091632.daed0206.en.html Reference: https://lists.exim.org/lurker/message/20110512.102909.8136175a.en.html Reference: http://www.securityfocus.com/bid/47836 The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity. Statement: Not vulnerable. This issue did not affect the versions of exim as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for DKIM.
Created exim tracking bugs for this issue Affects: fedora-all [bug 702475]
Created exim tracking bugs for this issue Affects: epel-6 [bug 705448]
Fedora has 4.76 in all supported versions which fixed this flaw, but EPEL6 does not and is vulnerable. See https://bugzilla.redhat.com/show_bug.cgi?id=702474#c5 for the details on how the wrong CVE name was used in the patch, so while the package implies it fixed this flaw, it did in fact not fix it. Also, based on: http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-1407.html the fix in git is here: http://git.exim.org/exim.git/blobdiff/337e3505b0e6cd4309db6bf6062b33fa56e06cf8..ae9094bfe313aeb9ffefc7566bd4dae49ada3cf5:/src/src/receive.c
Is this issue also present in postfix-2.6.6-2.2.el6_1.x86_64 on RHEL 6? I received an email from our nessus scanner. Date: Wed, 11 May 2011 08:18:46 -0500 Message-ID: <BANLkTik2OMre+tACnsPJeLCiuMnigs4NCA.org> Subject: nessus exim_4_76.nasl From: <nobody> To: <postmaster@[a.b.c.d]> Content-Type: multipart/alternative; boundary=001b24be1bac9c498e04a2ffe9de raajQ5BfWw27J8Rfer
Seems that according to http://www.scip.ch/en/?nasldb.53856 you need to be looking in your logs: NASLDB: Exim < 4.76 dkim_exim_verify_finish() DKIM-Signature Header Format String [...] Summary: Tries to trigger a logging error with a specially crafted message Did you see this logging error? I don't think an email is an indication of a vulnerability. See also: http://www.tenable.com/plugins/index.php?view=single&id=53856 This issue, as far as we know, is specific to Exim. There have been no reports or reason to believe postfix is affected.
Thanks Vincent for that information. Sorry I didn't get update email from bugzilla or did I miss it :/ , so the delay in response. Here is the log, I don't see the dkim logging error message you mentioned. Feb 6 08:27:21 emailserver_hostname dovecot: imap-login: Disconnected (no auth attempts): rip=nessus_IP, lip=email_server_IP, TL S: SSL_read() syscall failed: Connection reset by peer Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: lost connection after CONNECT from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: lost connection after CONNECT from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: lost connection after CONNECT from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: 1CCBE600F3: client=nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/cleanup[3691]: 1CCBE600F3: message-id=<BANLkTik2OMre+tACnsPJeLCiuMnigs4NCA. org> Feb 6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 1CCBE600F3: from=<nobody>, size=1855, nrcpt=1 (queue active) Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname dovecot: lmtp(3694): Connect from local Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: master in: USER#0111#011mailroot.com#011service=lmtp Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: ldap(mailroot): user search: base=ou=People,dc=ece,dc=iit scope=subtree f ilter=(&(objectClass=mailRecipient)(uid=mailroot)) fields=uidNumber,gidNumber,mailquota Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: ldap(mailroot): result: uidNumber(uid)=102 gidNumber(gid)=400 mailquota(q uota_rule=*:bytes=%$)=*:bytes=1000M Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: master out: USER#0111#011mailroot#011uid=102#011gid=400#011quota_rule=*:b ytes=1000M#011home=/mail/mailroot Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: lost connection after HELO from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: disconnect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname dovecot: lmtp(3694, mailroot): ykzVCEloElFuDgAAzASPFQ: msgid=<BANLkTik2OMre+tACnsPJeLCiuMnigs4N CA.org>: saved mail to INBOX Feb 6 08:27:21 emailserver_hostname dovecot: lmtp(3694): Disconnect from local: Client quit Feb 6 08:27:21 emailserver_hostname postfix/lmtp[3693]: 1CCBE600F3: to=<mailroot.com>, orig_to=<postmaster@[email_server_IP]> , relay=emailserver_hostname.my.domain.com[/var/run/dovecot/lmtp], delay=0.07, delays=0.02/0/0.01/0.03, dsn=2.0.0, status=sent (250 2. 0.0 <mailroot.com> ykzVCEloElFuDgAAzASPFQ Saved) Feb 6 08:27:21 emailserver_hostname dovecot: lmtp(3694): Connect from local Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: master in: USER#0112#011myusername.com#011service=lmtp Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: ldap(myusername): user search: base=ou=People,dc=ece,dc=iit scope=subtree fi lter=(&(objectClass=mailRecipient)(uid=myusername)) fields=uidNumber,gidNumber,mailquota Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: ldap(myusername): result: uidNumber(uid)=706 gidNumber(gid)=300 Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: master out: USER#0112#011myusername#011uid=706#011gid=300#011home=/mail/ugan dhi Feb 6 08:27:21 emailserver_hostname dovecot: lmtp(3694, myusername): zkzVCEloElFuDgAAzASPFQ: sieve: msgid=<BANLkTik2OMre+tACnsPJeLCiuM nigs4NCA.org>: stored mail into mailbox 'INBOX' Feb 6 08:27:21 emailserver_hostname postfix/pickup[7856]: 328BA600FA: uid=706 from=<nobody> Feb 6 08:27:21 emailserver_hostname postfix/cleanup[3691]: 328BA600FA: message-id=<BANLkTik2OMre+tACnsPJeLCiuMnigs4NCA. org> Feb 6 08:27:21 emailserver_hostname dovecot: lmtp(3694, myusername): zkzVCEloElFuDgAAzASPFQ: sieve: msgid=<BANLkTik2OMre+tACnsPJeLCiuM nigs4NCA.org>: forwarded to <A.B> Feb 6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 328BA600FA: from=<nobody>, size=2212, nrcpt=1 (queue active) Feb 6 08:27:21 emailserver_hostname postfix/pickup[7856]: 36B35600FC: uid=706 from=<nobody> Feb 6 08:27:21 emailserver_hostname postfix/cleanup[3691]: 36B35600FC: message-id=<BANLkTik2OMre+tACnsPJeLCiuMnigs4NCA. org> Feb 6 08:27:21 emailserver_hostname dovecot: lmtp(3694, myusername): zkzVCEloElFuDgAAzASPFQ: sieve: msgid=<BANLkTik2OMre+tACnsPJeLCiuM nigs4NCA.org>: forwarded to <myusername> Feb 6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 36B35600FC: from=<nobody>, size=2212, nrcpt=1 (queue active) Feb 6 08:27:21 emailserver_hostname postfix/lmtp[3693]: 1CCBE600F3: to=<myusername.com>, orig_to=<postmaster@[email_server_IP]>, relay=emailserver_hostname.my.domain.com[/var/run/dovecot/lmtp], delay=0.11, delays=0.02/0/0.05/0.04, dsn=2.0.0, status=sent (250 2.0 .0 <myusername.com> zkzVCEloElFuDgAAzASPFQ Saved) Feb 6 08:27:21 emailserver_hostname dovecot: lmtp(3694): Disconnect from local: Client quit Feb 6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 1CCBE600F3: removed Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: auth client connected (pid=3712) Feb 6 08:27:21 emailserver_hostname dovecot: imap-login: Disconnected (no auth attempts): rip=nessus_IP, lip=email_server_IP, TL S handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Feb 6 08:27:21 emailserver_hostname dovecot: auth: Debug: auth client connected (pid=3713) Feb 6 08:27:21 emailserver_hostname dovecot: pop3-login: Disconnected (no auth attempts): rip=nessus_IP, lip=email_server_IP, TL S handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: connect from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtpd[2482]: setting up TLS connection from nessus_hostname[nessus_IP] Feb 6 08:27:21 emailserver_hostname postfix/smtp[3709]: 328BA600FA: to=<A.B>, relay=gmail-smtp-in.l.google.com [74.125.133.26]:25, delay=0.28, delays=0.01/0/0.06/0.21, dsn=2.0.0, status=sent (250 2.0.0 OK 1360160841 b13si1077252igq .6 - gsmtp) Feb 6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 328BA600FA: removed Feb 6 08:27:21 emailserver_hostname postfix/smtp[3711]: 36B35600FC: to=<myusername>, relay=spamblock-1.domain.com[216.47.143.127] :25, delay=0.36, delays=0.01/0/0.05/0.3, dsn=2.0.0, status=sent (250 Ok: queued as 5A1C733E0E63) Feb 6 08:27:21 emailserver_hostname postfix/qmgr[6687]: 36B35600FC: removed