Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > General Support > Topic : Security Issue EXIM 4.72



Threaded Mode | Print  

 Security Issue EXIM 4.72 (10 Replies, Read 9269 times)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
The last supported version of EXIM on webuzo seems to be 4.72 who is very old, was relased on 2011

This seems to be afected by the POODLE attack vulnerability so you cannot disable SSL3 because if you do you will have issue with email.

Please find a solution, very soon.

STRONG SECURITY ISSUE.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Please FIX ASAP this STRONG SECURITY ISSUE

as you can see here

http://marc.info/?t=141379731800002&r=1&w=2

Exim 4.72 IS OLD AND INSECURE !!!


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
I AM WAITING A SOLUTION, to fix this STRONG SECURITY ISSUE, thanks


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Hope Exim can be fixed at the end of this week or at the end of the next week. The Security Issue should be fixed very soon. I have issue until this is not fixed. Thanks :)

-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Hi Webuzo Team,
I AM waiting and continuing to wait the fix to that STRONG SECURITY ISSUE of POODLE aatack SSL 3 support of the old Exim 4.72

Hope to see a fix in the next week.
This is not a feature request but a STRONG SECURITY ISSUE, public (because every one can see the Exim version in email header also this topic here).


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
MORE INFORMATION ABOIT THIS ISSUE:


1. Deprecated SSL Protocol Usage (Medium)
Port:  urd (465/tcp)
Summary:
The remote service accepts connections encrypted using SSLv2 and/or SSLv3, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
Recommended Solution:
Consult the application's documentation to disable SSL 2.0 and SSL 3.0, and use TLS 1.0 or newer.
More information:  http://www.schneier.com/paper-ssl.pdf


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Webuzo is using an old version of Exim relased on 2011 who is vulnerable to the POODLE attack and can't have SSL 3 disabled.

Seems to be compiled with GnuTLS.

From my test if I try to disable SSL 3 into Exim by following official instruction here:
https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html

with line tls_require_ciphers = NORMAL:!VERS-SSL3.0

than save and restart exim I can see no more security cipher are supported.
You can see with that command:

openssl s_client -connect mailserver.ext:465

also if you add on tls_require_ciphers +TLSv1.1:+TLSv1.2:ALL no support cipher will be supported so you must remove completely tls_require_ciphers and you cannot disable SSL 3 so your server will continue to be VULNERABLE.

Also if you disable SSL 3 Thunderbird stop to work because the connection is not secure.

So Webuzo team you have really to solve a BIG issue with email and security.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Also just

tls_require_ciphers = +TLSv1.2

not work as TLS stop to work because TLS without SSL 3 is not supported on Exim 4.72 with the actual Webuzo configuration and GNU... so...

just an Webuzo update will able to solve the Security Issue


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Seems Exim 4.72 has different vulnerability also to local code execution
https://www.google.it/search?q=fix+exim+4.72&ie=utf-8&oe=utf-8&gws_rd=cr&ei=HW62VpTUKcuWsgG9pafoDw

SO hope very soon will be relased an updated version of Exim, please... not as the antispam who is not avaiable in two years.

This is a very security issue old Exim.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
I have no power, no power for fix this EXIM SSL 3 issue.
The most problem is as there are a security issue I AM allerted every week from the security scanner I placed for monitor safety of the server.

Now you told seems you have issue on install the new Exim. This is not the first time I heard that, I have hearded that same for the Antispam... so really hope you will not do the same as Antispam who is two years has not been relased. I need fix the security issue with Exim but as is integrated in Webuzo I can't fix by myself. I have tried all but all is not working so must wait you.

-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Security Issue EXIM 4.72
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
This seems to be an issue with RedHat.

A BUG has been opened
https://bugzilla.redhat.com/show_bug.cgi?id=1306345

so now we have to wait, also Webuzo team seems ... cannot do nothing until a solution is not found from RedHat.

This topic is now closed for me, future updates will maybe posted here:
http://www.softaculous.com/board/index.php?tid=8642&title=STRONG_SECURITY_ISSUE_on_Exim_4.72_%28last_supported_by_Webuzo%29

Thank you.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is March 19, 2024, 5:35 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.024