Ubuntu
exim4 package

Cannot specify server certificate hostname verification whitelist

Bug #1384232 reported by Roca
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
exim4 (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

We did a automatic static analysis on exim4 packages in Ubuntu and found that EXIM will not verify the hostname of a SMTP server against its certificate. This will possibly result in man-in-the-middle attack. We reported this bug directly to exim.org in May 2014 and they fixed this problem in their latest release. So plz fix this issue in Ubuntu.

Bug: http://bugs.exim.org/show_bug.cgi?id=1479

Fix: http://git.exim.org/exim.git/commit/e51c7be22dfccad376659a1a46cee93c9979bbf7

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Do you know if a CVE has been assigned for this issue?

Thanks

information type: Private Security → Public Security
Revision history for this message
Roca (heboyuan) wrote :

We sent email to <email address hidden> and got the following response, but we don't agree that this is an intentionally made.

This patch appears to be outside the scope of CVE. For issues of this type, the scope of CVE is limited to unintentional implementation mistakes. Here, the vendor intentionally did not do a hostname check because (quoting http://bugs.exim.org/show_bug.cgi?id=1479#c2) "Exim is an MTA, there has been no sane approach to determining a hostname suitable for verification of certificate identity." The vendor went on to implement a useful security enhancement in response to your report.
This is a very good outcome, but security enhancements are not assigned CVE-IDs.

Roca (heboyuan)
Changed in exim4 (Ubuntu):
status: New → Confirmed
Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

This seems to be enabled by default in 4.86RC.

http://git.exim.org/exim.git/commit/01a4a5c5cbaa40ca618d3e233991ce183b551477

Revision history for this message
Robie Basak (racb) wrote :

I just looked into this, prompted by Chuck Peters on the ubuntu-server list.

It seems to me that this is a security-related feature made upstream in a newer release of exim4. To use it, every individual sysadmin would need to manually configure the tls_verify_cert_hostnames setting to a list of hostnames to use for stricter certificate checking when connecting to those particular hosts. Is this understanding accurate?

Chuck requested a backport to Trusty on the list. I think feature would have limited value in an update automatically recommended to all users (such as an SRU or security update), since most users would not be aware of the feature in order to enable it. And the feature is of limited use on the wider Internet anyway. We'd only be enabling the feature for a very small proportion of "opt-in" users because of the configuration requirement, for whom I suggest that the backports repository or moving to a newer (yet to be released) Ubuntu release would be more suitable. So I'm in favour of merging 4.86 into the development release when it is available, but am not convinced that this is suitable in an update that would be automatically recommended to all users such as through trusty-updates.

I welcome discussion on this though. I'm particularly interested in the security team's opinion.

summary: - Certificate hostname verification fix
+ Cannot specify server certificate hostname verification whitelist
Changed in exim4 (Ubuntu):
status: Confirmed → Triaged
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.