0

After upgrading Exim4 to an official patched version fixing CVE-2019-10149 vulnerability (i.e. exim4_4.89-2+deb9u4) on my Debian stable server, I still get the "Message frozen" warnings about suspicious emails.

Is it expected, or should these suspicious emails be silently discarded ? I can't seem to understand how the patch affects this behaviour — I'd assume such emails would trigger the !parse_extract_address(…) condition and therefore be logged and rejected, but it doesn't seem to be the case ?

Skippy le Grand Gourou
  • 1,145
  • 14
  • 23
  • You probably always got lots of frozen messages, nothing directly suspicious about that. That's why there's a setting `timeout_frozen_after` do delete those after some time. – wurtel Jun 17 '19 at 12:04
  • @wurtel I get email warnings about frozen messages only once or twice a year. Others are silently discarded. – Skippy le Grand Gourou Jun 17 '19 at 12:19

1 Answers1

0

As explained in the security advisory, in the example of the question linked in OP, the attacker is trying to trigger RECIP_FAIL_LOOP by setting a number of Received headers greater than Exim's default received_headers_max value (30).

Here is what Exim4 does in this case :

   case RECIP_FAIL_LOOP:
     new->message = US"Too many \"Received\" headers - suspected mail loop";
     post_process_one(new, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
     break;

That is, when an attacker attempts to exploit this vulnerability, Exim will send the warning email to the postmaster. But this is not where the vulnerability stands, so this code was not modified by the patch.

The vulnerability itself is in the following if block, which was fixed by the patch.

Therefore, it is expected to receive numerous reports of attempts to exploit this vulnerability.

Skippy le Grand Gourou
  • 1,145
  • 14
  • 23