Bug#1092910: exim4: Discloses information about which packages are installed

Dietrich Clauss dietrich at clauss-it.com
Mon Jan 13 10:02:24 GMT 2025 

Package: exim4
Version: 4.96-15+deb12u6
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

In its default config, exim delivers mail to system accounts.  An
attacker can send mail to, say, sshd at server.example.com and wait for the
reply.  No reply means that sshd is installed on the target system.
"Unrouteable address" means that this is not the case.  The same applies
for all packages that create system accounts.

One could set FIRST_USER_ACCOUNT_UID to prevent mail to system accounts
to be delivered, but this doesn't make things better.  The reply will
then be "no mail to system accounts", which is different from
"Unrouteable address".  The attacker can still send mail to well-known
system account names and find out whether the corresponding package is
installed or not.


-- Package-specific info:
Exim version 4.96 #2 built 28-Sep-2024 14:49:26
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2022
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS TLS_resume move_frozen_messages DANE DKIM DNSSEC Event I18N OCSP PIPECONNECT PRDR Queue_Ramp SOCKS SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 external plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated

-- System Information:
Debian Release: 12.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: i386 (i686)
Foreign Architectures: amd64

Kernel: Linux 6.1.0-28-686-pae (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages exim4 depends on:
ii  debconf [debconf-2.0]  1.5.82
ii  exim4-base             4.96-15+deb12u6
ii  exim4-daemon-light     4.96-15+deb12u6

exim4 recommends no packages.

exim4 suggests no packages.

-- debconf information:
  exim4/drec:

More information about the Pkg-exim4-maintainers mailing list