21 nails in Exim mail server: Vulnerabilities enable 'full remote unauthenticated code execution', millions of boxes at risk Researchers at security biz Qualys discovered 21 vulnerabilities in Exim, a popular mail server, which can be chained to obtain "a full remote unauthenticated code execution and gain root privileges on the Exim Server." Exim is a mail transfer agent (MTA), responsible for receiving and forwarding email messages. It runs …
Well maybe I shouldn't be shocked, but I am still. Not at the security issue but looking at that MX server survey I had no idea that Exim and Postfix combined had that high of a market share, and that Sendmail was at 40% ~15 years ago and is now at under 4%. I really expected nobody to have more than say 20-25% market share. Personally I have been using Postfix since about 2001 I think. It was suggested to me for a anti virus solution I was looking to deploy at the time and just haven't had a need to look at anything else.
I went off to look at sendmail.org, and wow they are old school(except they seem to be operating under the "ProofPoint" brand not sure when that happened), just read the stuff under the "Contact us" section. Also it's the first reference to a FTP server I have seen on a website in a long time(I have nothing against ftp myself other than it is funky to work through firewalls).
I still prefer text email myself and my personal email server does strip html off of incoming emails automatically which can sometimes make things difficult (and in very rare occasions impossible as in the entire message is empty) to read. But it certainly brings back memories of an earlier era(an era that was much more fun for me computing wise anyway).
For work my org uses office 365 (and hosted exchange at rack space prior), MS introduced breaking changes in the OWA client which I use for most of my mail which makes text based email composing impossible. Reported it almost 2 years ago and last I checked it was still broken (the behavior being new line characters are broken making the entire email be one long line, in many cases totally unreadable. Message is fine in the "outbox" and only gets mangled once it gets beyond that level).
Sendmail is the built-in for FreeBSD. I got used to its quirks and it's still supported for integration with other e-mail related things (like Cyrus IMAP), at least last time I integrated the two - which has been a while, yeah.
Exim runs by default on Debian derivatives as well, last I checked. Since it listens locally by default, it's probably not a problem unless you open up the listening ports for LAN or (worse) Internet access.
(verified, Devuan recent distro running exim4, listening port 25 only on 127.0.0.1 and ::1, default out of the box config for mail as I recall)
"Sendmail was at 40% ~15 years ago and is now at under 4%"
Because it's awfully unreliable for what the world wants to use email for now.
cPanel and WHM use Exim, how fast did they patch this? Unbelievable. Just goes to show how we rely on all this software and it could be the weakest link in the chain.
> [sendmail is] awfully unreliable for what the world wants to use email for now.
Spam? Phishing? HTML?
I have a meh-hate relationship with Sendmail. Learnt it well enough at university to teach the Sun3's and similar old kit how to be a null-client and send everything along to smarthost for handling. And just enough beyond that to be dangerous with the smarthost's .cf file -- not even the .mc routine back then.
Since those days gone by I still run a few sendmail configs on the FreeBSD's I have, as noted upthread it's what they came with so I just kept doing it. They're pretty trouble-free, but admittedly not heavily loaded.
I too am surprised at 4%, almost enough to make me doubt the accuracy. But when major Linuxes don't default to it, it follows that sendmail will drop off for postfix and exim.
Suppose I should have a look at postfix configs on one of my MX servers and bone up, if only for the sake of my CV and future job prospects.
Sendmail represented everything that was wrong about service daemons. Permanently insecure, bizarrely complex to configure and with tentacles all throughout the OS. I know it dates from another era, more innocent times etc. but I still have servers to run. After the umpteenth security announcement I bit the bullet and switched to exim. Sounds like everyone else did too.
Todays announcement is what it is, but it's the first big one(*) I recall for exim so no regrets. It was every few months for sendmail. Glad it's gone.
Distribution preferences explain the prevalence of Exim and Postfix: most people go with the default.
Currently still dealing with fallout of Hafnium on from that disaster waiting to happen that is Exchange, which requires its own web server to work. We've tried hardening it but have to keep ActiveSync, Outlook Anywhere and OWA active. We've got problems with Outlook for Mac dropping the tunnel because it doesn't have the Windows-specific proxy options to enforce basic authentication. I've just signed off on the bill for the extra support. And there is no redress for all this shoddiness from Microsoft.
Give me a flawed open source mail server over this shit any time.
Holds up his bat boot on high and chants insane incarnations. Oh thee blasphemers, thine mta shalt not peer into thine packages, but only shove them by brute force if necessary, untu their destinations in a timely manner. Embrace the R$ and the L$ hold them high and let not thine mail queue.
--I'll get my my robe of the ancient dark arts..
Phew, dodged all those nasty Sendmail bullets!
And all because I run Postfix on all my computers including my Raspberry Pi.
Years back, when I was running Fedora 1, if it wasn't still RedHat 7.2, I tried to customise Sendmail by working from the O'Reilly Sendmail book. That most be the worst book they ever published, because an entire section was missing. That meant I couldn't get my head round Sendmail and, being too tight to buy another massive book, I ripped out Sendmail, dropped in Postfix and have never looked back.
So, when I bought my first RPi, naturally I slapped Postfix onto it, added the standard configuration I use on every machine except my house server. One reboot later and it 'just ran' and has continued to do so without any configuration changes despite successive upgrades from Wheezy to Buster.
Been using it since 1993 ish.
Just been and compiled and rolled out the new release. Ended up having to do a lot of reading and farting around.
Exim has copious documentation but it is really difficult to digest. Most of the problems today weren't with the compile, it was trying to find what I needed to do to the configuration file so that it would used de-tainted data.
What's de-tainted data ? I hear you all cry. In their wisdom the Exim developers decided that any data that could possibly come from the outside world was dangerous and couldn't be used directly in, for example the name of a file. Seems like a good plan but they didn't tell anybody they were doing this, they just rolled it out and mentioned it in the release notes (not even at the top of the release notes either). Consequently the mailing list was flooded with people screaming because their 'working for decades' configs suddenly stopped.
It's generally been accepted thet the exim devs could have handled the release better.
It's particularly galling that while the devs were busy looking at the tainted data splinter they missed the *()&ing planks that today's release is hopefully in mitigation of.
It does make me wonder what else they have missed and has dented my (and I suspect a lot of other postmastes) confidence in the product.
Mitigations [exist] to prevent this from being as bad as some may think. Unlike the recent Microsoft Exchange security issues which were mostly unavoidable, Exim doesn’t need to run as root in the first place and where it does, it is commonly confined by sysadmins using mandatory access controls anyway. Still, you’d think someone would have audited this critical code long before now....
Wietse Venema got a bee in his bonnet about the security shortfalls of Exim and encountered serious resistsance in getting it fixed
Having spent 20 years in British academia, I can understand his frustration and there's a VERY strong sentiment of using Exim "BECAUSE IT'S BRITISH", with security arguments being dismissed usually under the "not invented here" category
As for Sendmail. It's a swiss army knife written in days when mail needed to gateway in between many different network types - it works but the correct tool for any given job is preferably and simpler
Anon for bloody obvious reasons
We run a weird hybrid, where our email is officially Office365 but instead of allowing all internal servers access to the internet we have an exim mailer for all outgoing email that sorts the Office stuff to the cloud and the rest where it's supposed to go. The bonus in this case is that it's not addressable from the internet, as there's no reason it should be. So that's one British University still running exim, albeit in a limited fashion. (We only turned off the incoming exim hosts last year!)
That said, I just checked and the Debian hosts patched themselves either yesterday or today depending.
(Anon because I don't represent my employer in this case)
Philip Hazel retired years ago - Exim was at 3 something when he went and he's had nothing to do with it since.
Exim 4 has been pretty solid but it is getting unwieldy, it's configuration is arcane and idiosyncratic and it's documentation obtuse (never mind the quality - look how many pages we've got).
It's certainly suffered from feature creep.
I don't think the devs have anything to to be proud of really.
Even this emergency release, they mentioned a feature that turns off the taint checking but also said it's immediately deprecated and that feature isn't in the main release - you have to download a slightly different release '-fixes' which there isn't a tarball of on the main download server.
Alternatively you can download the previous 4.93-fixes stable (release without the tainting checks) that they have generously applied the patches to but again the tar files are not on the main site.
Yep, you have to pull a git release from the source repository to get those fixes - sigh :-(
I'm definitely thinking of an alternative now - Exim's credibility is at 0 now and I have a load of work to do because of how they have handled it - a comment from the mailing earlier mentioned they had been sitting on these bugs for 7 months.
They then go and release and publish and everybody is left running around like idiots hastily patching, rebuilding and fixing stuff. It will all end in tears.
I know it's not polite to criticise volunteer efforts but sometimes being too polite creates more trouble. If people had been more critical, Exim may not be in the mess it now is.
PH's book and courses were actually based on Exim 4 and he was doubtless still a benefit to that version before retiring.
Email not Exim is unwieldy. Hindsight is 20-20 but KISS should have been applied to email ages ago. The bad thing about standards is there are too many to choose from. Do we now need a new one though? Anyway Email was already too loose IMHO when PH began Exim. With nothing else capable Cambridge implemented it out of necessity and to PH's surprise I believe.
Despite this current big hassle Exim has been improved and gains strength from being free & open and having a structure more logical than its predecessor and a lot of other MTAs.
Btw C/C++ might not be the most secure in which to write a drop-in replacement MTA these days. Platform differences aside - anyone coding one in Rust? Only a light-hearted question as I don't have the skill or time myself. Rust does however look like being hugely safer and a good choice for new stuff - especially re. much needed security. (`c2rust' for Exim's source? - just a silly thought..)
Folks please don't sign your mail-flow over to be abused by evil empires - it will be locked-in and out of your reasonable control - plus bugs will be there too.
Yes, and who is doing the re-writing and bug-testing?
That is the problem with many bits of software, they are not terribly well written but attempts to re-invent them often introduce far more problems than fixing the old ones.
For some things you do have better, more secure, alternatives already in existence. But if you have a stable working system you are again facing the trade-off of fixing issues in a working arrangement and starting fresh with newer package(s), configuring them, testing that, fixing that, checking client compatibility, etc, etc.
[quote]It may be fast, but it's got too much potential for memory bugs. That should be a class of errors we shouldn't be having to deal with these days.[/quote]
That would be like throwing out the baby with the bath-water.
It's almost trivially easy to cobble up a few functions which wrap, extend or replace the library versions and make memory accesses unconditionally safe.
What's needed isn't a new language, it's sensible developers who keep an eye on security -- and management which takes the issues seriously enough to understand them.
Regrettably both seem to be in short supply.
Well it doesn't happen. Changing peoples behaviour isn't going to happen fast. I see it the same way assembly programmers complained about C, that they could do it better etc... and people just had to 'get it'.
I say if there's a technical fix, then use that. You can try to argue with the computer but it will still say no.
People aren't going to change anytime soon, nor are the various forces acting upon them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
