Given Hestia’s reliance on Exim, I’d like to bring to your attention a current vulnerability (CVE-2023-42115) with CVSS score 9.8 that could potentially lead to remote code execution. Unfortunately, there is currently no patch available for this issue. As a temporary solution, we can mitigate the risk by blocking port 25 through the firewall page (iptables) in the HestiaCP panel. It’s important to note that this action will prevent the reception of emails for all email accounts. However, email sending should continue to function without any disruptions.
The email protocol is designed to be resilient and will attempt to send emails multiple times to the same recipient if the mail server cannot be reached (subject to the sender’s mail server configuration). Therefore, if you implement this workaround and the vulnerability is fixed by Monday, emails sent during this period are likely to still be successfully received after removing the Port block.
Current status for Debian and Ubuntu Exim4 packages:
Thanks for the info.
Seems there are 6 CVE assigned and 3 of them are already fixed and waiting for maintainers (Debian, Ubuntu, etc.) to add them to their packages.
CVE-2023-42114 https://www.zerodayinitiative.com/advisories/ZDI-23-1468/ 3001 fixed
CVE-2023-42115 ZDI-23-1469 | Zero Day Initiative 2999 fixed
CVE-2023-42116 ZDI-23-1470 | Zero Day Initiative 3000 fixed
Today, Debian has published updates for exim4 (in my system, Debian bookworm;
exim4, exim4-base, exim4-config and exim4-daemon-heavy)
exim4 (4.96-15+deb12u2) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
* Address external and SPA authenticator vulnerabilities (CVE-2023-42114,
- Auths: fix possible OOB write in external authenticator (CVE-2023-42115)
- Auths: use uschar more in spa authenticator
- Auths: fix possible OOB write in SPA authenticator (CVE-2023-42116)
- Auths: fix possible OOB read in SPA authenticator (CVE-2023-42114)
-- Salvatore Bonaccorso <[[email protected]> Fri, 29 Sep 2023 22:38:02 +0200
Ubuntu has also released updates, albeit slightly delayed.