{"id":773,"date":"2021-07-23T12:37:48","date_gmt":"2021-07-23T12:37:48","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/cve-2017-16943-and-cve-2017-16944-exim\/"},"modified":"2021-07-23T12:37:48","modified_gmt":"2021-07-23T12:37:48","slug":"cve-2017-16943-and-cve-2017-16944-exim","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/cve-2017-16943-and-cve-2017-16944-exim\/","title":{"rendered":"CVE 2017 16943 and CVE 2017 16944 Exim"},"content":{"rendered":"<\/p>\n
\n
<\/div>\n
\n

Background Information<\/h2>\n

On Friday, November 24 2017, Exim announced two vulnerabilities in versions 4.88 and later.<\/p>\n

Impact<\/h2>\n

According to Exim development: \u201cA remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice).\u201d<\/p>\n

The vulnerability exists in the ESMTP CHUNKING extension, and an additional DoS vulnerability exists in the same subsystem. On supported cPanel & WHM versions, chunking_advertise_hosts is set to an un-routable IP address by default. That technique appears to prevent the remote exploitation of the vulnerabilities.<\/p>\n

On further investigation, we became concerned that local users may still be able to abuse this configuration. Accordingly, we published an autofixer on Monday, November 27 2017, to fully disable chunking support in Exim. This would have run during Monday\u2019s nightly maintenance, and can be confirmed by running the following as root via SSH:\n<\/p>\n

\n
\/scripts\/<\/span>autorepair exim_disable_chunking<\/code><\/pre>\n<\/div>\n
Releases<\/h2>\n
The following versions of cPanel & WHM were patched to have the correct version of Exim.<\/p>\n
    \n
  • \n
    68 \u2014 68.0.20<\/p>\n<\/li>\n
  • \n
    62 \u2014 62.0.36<\/p>\n<\/li>\n
  • \n
    EDGE \u2014 68.0.20<\/p>\n<\/li>\n
  • \n
    CURRENT \u2014 68.0.20<\/p>\n<\/li>\n
  • \n
    RELEASE \u2014 68.0.20<\/p>\n<\/li>\n
  • \n
    STABLE \u2014 68.0.20<\/p>\n<\/li>\n<\/ul>\n
    How to determine if your server is up to date<\/h2>\n
    The updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for this changelog entry with the following command: <\/p>\n
    \n
    rpm -<\/span>q --changelog <\/span>exim |<\/span> grep CVE-<\/span>2017<\/span>-<\/span>16943<\/span><\/code><\/pre>\n<\/div>\n
    The output should resemble below: <\/p>\n
    \n
    -<\/span> Applied patch for<\/span> CVE-<\/span>2017<\/span>-<\/span>16943<\/span> and<\/span> CVE-<\/span>2017<\/span>-<\/span>16944<\/span><\/code><\/pre>\n<\/div>\n
    What to do if you are not up to date<\/h2>\n
    If your server is not running one of the above versions, update immediately.<\/p>\n
    To upgrade your server, use WHM\u2019s Upgrade to Latest Version<\/em> interface (WHM >> Home >> cPanel >> Upgrade to Latest Version<\/em>).<\/p>\n
    Alternatively, you can run the below commands to upgrade your server from the command line: <\/p>\n
    \n
    \n\n\n
    \n
    1\n<\/span>2\n<\/span><\/code><\/pre>\n<\/td>\n
    		\n
    \/<\/span>scripts<\/span>\/<\/span>upcp<\/span>\n\/<\/span>scripts<\/span>\/<\/span>check_cpanel_rpms<\/span> --<\/span>fix<\/span> --<\/span>long<\/span>-<\/span>list<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
    Verify the new Exim RPM was installed: <\/p>\n
    \n
    rpm -<\/span>q --changelog <\/span>exim |<\/span> grep CVE-<\/span>2017<\/span>-<\/span>16943<\/span><\/code><\/pre>\n<\/div>\n
    The output should resemble below: <\/p>\n
    \n
    -<\/span> Applied patch for<\/span> CVE-<\/span>2017<\/span>-<\/span>16943<\/span> and<\/span> CVE-<\/span>2017<\/span>-<\/span>16944<\/span><\/code><\/pre>\n<\/div>\n
    Workarounds<\/h2>\n
    As stated above: you may completely disable chunking support in Exim. To do this, run the following command as root via SSH: <\/p>\n
    \n
    \/scripts\/<\/span>autorepair exim_disable_chunking<\/code><\/pre>\n<\/div>\n
    Additional Information<\/h2>\n
      \n
    • \n
      https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-16943<\/p>\n<\/li>\n
    • \n
      https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-16944<\/p>\n<\/li>\n
    • \n
      https:\/\/lists.exim.org\/lurker\/message\/20171125.034842.d1d75cac.en.html<\/p>\n<\/li>\n<\/ul>\n
      If you are still experiencing issues or need additional help, contact cPanel support.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
      Background Information On Friday, November 24 2017, Exim announced two vulnerabilities in versions 4.88 and later. Impact According to Exim development: \u201cA remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice).\u201d The vulnerability exists in the ESMTP CHUNKING extension, and an additional DoS vulnerability exists …<\/p>\n","protected":false},"author":1,"featured_media":774,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/773"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=773"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/773\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/774"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=773"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}