A remote code execution vulnerability has been reported in Exim, with immediate public disclosure (we were given no private notice). A tentative patch exists but has not yet been confirmed. Exim is a widely used mail transfer agent used on Unix-like operating systems.
With immediate effect, please apply this workaround: if you are running Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main section of your Exim configuration, set:
That's an empty value, nothing on the right of the equals. This disables advertising the ESMTP CHUNKING extension, making the BDAT verb unavailable and avoids letting an attacker apply the logic.
This should be a complete workaround. Impact of applying the workaround is that mail senders have to stick to the traditional DATA verb instead of using BDAT.
We've requested CVEs. More news will be forthcoming as we get this worked out.
A quick check can be performed to see if you are vulnerable:
exim -bP | grep chunking_advertise_hosts
If the value is empty you are safe. If you'd like to remove the value enter the following:
sed -i 's/chunking_advertise_hosts.*/chunking_advertise_hosts =/g' /etc/exim.conf
For servers running cPanel:
# perl -pi.bak -e "s/^chunking_advertise_hosts =.*/chunking_advertise_hosts = /g" /usr/local/cpanel/etc/exim/config_options # /scripts/buildeximconf # /scripts/restartsrv_exim
This will remove the configured hosts that the chunking_advertise_hosts option currently has and set it to an empty host list. It will also back up the current /usr/local/cpanel/etc/exim/config_options as /usr/local/cpanel/etc/exim/config_options.bak.
It is recommended that you take immediate action.
EDIT: servers running DirectAdmin are NOT affected. The chunking_advertise_hosts directive can be found in the exim.variables.conf file and has an empty value by default.
Ongoing Discussion via WHT: