• Woensdag, November 29, 2017

https://documentation.cpanel.net/display/CKB/CVE-2017-16943+and+CVE-2017-16944+Exim

Impact

According to Exim development: "A remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice)."

The vulnerability exists in the ESMTP CHUNKING extension, and an additional DoS vulnerability exists in the same subsystem. On supported cPanel & WHM versions, chunking_advertise_hosts is set to an un-routable IP address by default. That technique appears to prevent the remote exploitation of the vulnerabilities.

On further investigation, we became concerned that local users may still be able to abuse this configuration. Accordingly, we published an autofixer on Monday, November 27 2017, to fully disable chunking support in Exim. This would have run during Monday's nightly maintenance, and can be confirmed by running the following as root via SSH:

/scripts/autorepair exim_disable_chunking

 

Resolution

This page will be updated as new versions of cPanel & WHM are published to address CVE-2017-16943 and CVE-2017-16944.

 

Workarounds

As stated above: you may completely disable chunking support in Exim. To do this, run the following command as root via SSH:

/scripts/autorepair exim_disable_chunking

 

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2017-16943

https://nvd.nist.gov/vuln/detail/CVE-2017-16944

https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html