Bug#985243: exim4: incorrectly accepts certificates for CNAME targets

Jorrit Fahlke jorrit at jorrit.de
Mon Mar 15 00:09:05 GMT 2021 

Package: exim4
Version: 4.92-8+deb10u4
Severity: important
Tags: fixed-upstream, security
Control: fixed -1 4.94-15

Dear Maintainer,

When Exim is configured to verify certificates against hostnames and hostname
resolution yields a CNAME, then Exim will verify the certificate against the
canonical name rather than the original hostname.

An attacker with control over the network (e.g. a rogue public wifi) can forge
CNAME records to point to a hostname under their control.  They can then
obtain a legitimate certificate for the host under their control, which Exim
will accept as valid for the host it intended to connect to.

The attacker can thus
- obtain cleartext of credentials the victim needs to connect to e.g. a
  smarthost
- read and manipulate mail text

Note that by default, Exim does opportunistic SSL for most connection,
allowing fallback to unencrypted connections.  For such connection there is no
expectation of any protection anyway, so this flaw is of little importance.
However, when exim is configured to deliver mail to a smarthost, such as when
setting dc_eximconfig_configtype='smarthost' or 'satellite', it make sense to
also configure it to require encryption and successful certificate
verification for the connection to the smarthost.  Such configurations are
also likely to use credentials to authenticate against the smarthost, which
the attack described above can reveal.

This affects exim4 4.92-8+deb10u4 from Debian 10 (buster).  Upstream patched
this some time ago already, and the patch already has made it into Debian 11
(bullseye), e.g. exim4 4.94-15.

The upstream patch is this one, I believe:
----------------------------------------------------------------------
0851a3bbf4667081d47f5d85b6b3a5cb33cbdba6
Author:     Jeremy Harris <jgh146exb at wizmail.org>
AuthorDate: Thu Jun 11 20:21:38 2020 +0100
Commit:     Jeremy Harris <jgh146exb at wizmail.org>
CommitDate: Thu Jun 11 20:30:18 2020 +0100

TLS: use RFC 6125 rules for certifucate name checks when CNAMES are present. Bug 2594
----------------------------------------------------------------------

This was initially reported 2020-09-04 to security at debian.org.

Regards,
Jorrit Fahlke.

-- Package-specific info:
Exim version 4.92 #5 built 13-May-2020 16:01:31
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DANE DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='smarthost'
dc_other_hostnames='censored'
dc_local_interfaces='127.0.0.1 ; ::1 ; 192.168.28.1'
dc_readhost='censored'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='192.168.28.2'
dc_smarthost='127.0.0.1::26'
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='false'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:censored
# /etc/default/exim4
EX4DEF_VERSION=''

# 'combined' -	 one daemon running queue and listening on SMTP port
# 'no'       -	 no daemon running the queue
# 'separate' -	 two separate daemons
# 'ppp'      -   only run queue with /etc/ppp/ip-up.d/exim4.
# 'nodaemon' - no daemon is started at all.
# 'queueonly' - only a queue running daemon is started, no SMTP listener.
# setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4
QUEUERUNNER='combined'
# how often should we run the queue
QUEUEINTERVAL='30m'
# options common to quez-runner and listening daemon
COMMONOPTIONS=''
# more options for the daemon/process running the queue (applies to the one
# started in /etc/ppp/ip-up.d/exim4, too.
QUEUERUNNEROPTIONS=''
# special flags given to exim directly after the -q. See exim(8)
QFLAGS=''
# Options for the SMTP listener daemon. By default, it is listening on
# port 25 only. To listen on more ports, it is recommended to use
# -oX 25:587:10025 -oP /var/run/exim4/exim.pid
SMTPLISTENEROPTIONS=''

-- System Information:
Debian Release: 10.8
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-debug'), (1, 'testing-debug'), (1, 'experimental-debug'), (1, 'experimental'), (1, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-0.bpo.3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages exim4 depends on:
ii  debconf [debconf-2.0]  1.5.71
ii  exim4-base             4.92-8+deb10u4
ii  exim4-daemon-light     4.92-8+deb10u4

exim4 recommends no packages.

exim4 suggests no packages.

-- debconf information:
  exim4/drec:

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20210315/d113f6c0/attachment.sig>

More information about the Pkg-exim4-maintainers mailing list