New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Exim off-by-one remote code execution
https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/
You'll want to update Exim ...
Comments
By installing Postfix!
Does cPanel still use Exim exclusively?
Wouldn't bet too much on it. Both (original) authors were no idiots but coding in C ugly things are just bound to happen. off-by-one is one of the classical sins.
Who is using exim? And why?
Debian installs Exim by default, but does not provide an update (yet?) in the stable channel:
https://packages.debian.org/search?keywords=exim
I guess "stable" applies to security holes as well ...
The current version of Exim for Debian is patched for this issue you can see it in the change logs: http://metadata.ftp-master.debian.org/changelogs/main/e/exim4/exim4_4.89-2+deb9u3_changelog
That was almost a month ago ...
https://exim.org/static/doc/security/CVE-2018-6789.txt
Seems to match the timeline given here.
I love unattended-upgrades. All servers of mine already seem to have the patch.
Thats the finest shit you can get, reminds me a few days ago, a company shipped updates for a eReader and bricked it, the updates applied automatically when wlan was up.
It first killed the wlan hardware, then the rest.
Magnificent.
The cPanel stable branch is already protected against this vulnerability. Current version: exim-4.89.1-2.cp1162.x86_64. They simply didn't bump the version.
Test your cPanel server with the following command: rpm -q --changelog exim | grep CVE-2018-6789
It should return:
If not, yolo.
Not all auto-updates are the same. I only do it for security patches. Which for debian and the few years I have run them this way... don't have issues.
You are missing the point, that this shit is written by humans, humans do mistakes.
Also connecting power plants to the internet, fucking idiots.
Correct, and that is why you have backups...
So @Neoon which debian update failed for you exactly?
PowerDNS, one updated destroyed a cluster, due to config changes pushed via security.
PowerDNS did not came up anymore after that.
Ouch. Point taken. Guess i am not a complete idiot for not running unattended upgrades afterall even if nothing of interest ever happend to me.
When was this?
A while ago, where MariaDB did not even existed, a few years at least.
Now, if you didn't have unattended-upgrades installed and just did apt-get update && apt-get upgrade would you have had the same issue?
Sure but with manual upgrades you have a higher chance of noticing that something got broken so at least in theory it should result in less downtime.
"In theory" ... and also in theory you could have had a lovely attacker compromise a system while your system went unpatched. In reality, neither option is perfect. They both have flaws. If you are in a business, you generally have fully staffed tech departments that run, check, and test updates then patch. However, for other things an automatic update can be beneficial.
For example:
Have you updated all your servers in the past 60 days or less?
How about your routers?
All your Internet of Things devices?
Your modem?
Your cell phone?
Your apps on your cell phone?
Your work station desktop?
How about the bios on your desktop?
... and so many more.
The massive amount of things that need updates and needing them frequently is quickly growing. Having automation and tools that help you do that for you... is beneficial from a time saving stand point, and a security one.
However, yes... things sometimes go wrong. Just like a recent windows update at my work.
@Neoon simply disagrees by default @AlyssaD, I wouldn't argue much ;-)
Fully agreed.
Yes, i have. Stil 60 days is an awfuly long time span so that's not exactly hard to meet imo.
The one i have only gets patched when there is a remotely exploitable bug. And there wasn't any in this timespan.
My security plan for those is not getting any
Don't think it's patchable.
See Internet of Things solution.
See above.
Admittedly that thing is a bit out of date. Thanks for reminding me :P
Why would i do that? It's working fine. I am not going to touch it.
Well, i think we can easily agree there's different approaches and lets face it when it comes to gadgets like phones and IoT stuff security is illusionary anyways. By the time updates reach you it's to late anyways (as in weeks, months to late...) if there are any updates at all.
Words can not describe how happy i am about not having to deal with this.
Edit: Note to self: Agreeing with @Neoon gets me into positions i don't really care for. Better not do it again.
Dom, the earth is round right? Where do I disagree then by default?
That explains a lot about yourself, on which level you are thinking.
If a dumbest assumable user, goes and buys a router, then he just gets it, keeps it there, does not even touch it. Unlikely he is going to patch his windows as well if not automated.
They just use the computer as tool, like a workbench.
I guess they do not even think about security.
Sure then you want to have by default auto updates enabled, to make sure his stuff is patched.
But if you are able, to administer your network/router/server, you want to still enable auto updates? no.
Sure you can use ansible, if the update is tested and then go deploy it, but uncontrolled auto updates, to risky.
If a update drops, and bricks the hardware, you are fucked yes.
A propos Neoon:
@bsdguy OMG that picture made my day.
Did... @bsdguy just post a pic?!?!? Soon it'll be animated gifs...
In certain cases I agree. In other cases I disagree. Sometimes automatic updates can be beneficial when applied and used correctly. Would I do this on my core switch, no. Would I do this on my core network server, no. Would a small, unimportant discord bot for music.... yes. In certain applications automatic updates will do absolutely fine.