Bug 1215789 (CVE-2023-42119)

Summary: VUL-0: CVE-2023-42119: exim: dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Peter Wullinger <wullinger>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/380208/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-09-28 06:38:07 UTC 
This vulnerability allows network-adjacent attackers to disclose sensitive
information on affected installations of Exim. Authentication is not required to
exploit this vulnerability.

The specific flaw exists within the smtp service, which listens on TCP port 25
by default. The issue results from the lack of proper validation of
user-supplied data, which can result in a read past the end of an allocated
buffer. An attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of the service account.

06/22/22 – ZDI reported the vulnerability to the vendor.

04/25/23 – ZDI asked for an update.

04/25/23 – The vendor asked us to re-send the reports.

05/10/23 – ZDI sent the vulnerability to the vendor.

09/25/23 – ZDI asked for an update and informed the vendor that we intend to
publish the case as a zero-day advisory on 09/27/23.

-- Mitigation: Given the nature of the vulnerability, the only salient
mitigation strategy is to restrict interaction with the application.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-42119
Comment 1 Peter Wullinger 2023-10-04 06:32:10 UTC 
There are no upstream fixes for this yet.

You are only affected, if your upstream resolver does no do DNS record validation.
Comment 2 OBSbugzilla Bot 2023-10-16 09:45:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1215789) was mentioned in
https://build.opensuse.org/request/show/1117952 Factory / exim
Comment 3 OBSbugzilla Bot 2023-10-18 08:25:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1215789) was mentioned in
https://build.opensuse.org/request/show/1118499 Backports:SLE-12-SP4 / exim
https://build.opensuse.org/request/show/1118502 Backports:SLE-15-SP4 / exim
https://build.opensuse.org/request/show/1118503 Backports:SLE-15-SP6 / exim
https://build.opensuse.org/request/show/1118504 Backports:SLE-15-SP5 / exim
Comment 4 Marcus Meissner 2023-10-18 16:05:16 UTC 
openSUSE-SU-2023:0303-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1215787,1215789
CVE References: CVE-2023-42117,CVE-2023-42119
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    exim-4.94.2-bp155.5.6.1
Comment 5 Marcus Meissner 2023-10-18 16:05:35 UTC 
openSUSE-SU-2023:0304-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1215787,1215789
CVE References: CVE-2023-42117,CVE-2023-42119
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    exim-4.94.2-bp154.2.9.1
Comment 6 Peter Wullinger 2023-10-19 09:33:28 UTC 
Fixed via patch
Comment 7 OBSbugzilla Bot 2024-07-15 17:05:26 UTC 
This is an autogenerated message for OBS integration:
This bug (1215789) was mentioned in
https://build.opensuse.org/request/show/1187597 Backports:SLE-15-SP6 / exim