Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > Bugs > Topic : STRONG SECURITY ISSUE on Exim 4.72 (last supported by Webuzo)



Threaded Mode | Print  

 STRONG SECURITY ISSUE on Exim 4.72 (last supported by Webuzo) (5 Replies, Read 9380 times)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Hi,
as the topic in the support Forum:
http://www.softaculous.com/board/index.php?tid=8585&title=Security_Issue_EXIM_4.72

this Topic is to alert the Developers department of a STRONG SECURITY ISSUE present on the last avaiable and old version of Exim 4.72 supported by Webuzo.

Infact this version is affected by the POODLE vulnerability as was relased on 2011, before the STRONG SECURITY ISSUE of SSL 3 and POODLE attack was discovered.

Just a remind to tell you is about ONE MONTH but really is more I say to you there are a strong Vulnerability with SSL 3 and POODLE in Webuzo somewhere ... IS about more than one mounth this STRONG SECURITY ISSUE has not been resolved by Webuzo with a patch.

I know and hope you are working on relase a new version of Exim who can solve this STRONG SECURITY ISSUE... but please be quick as soon as possibile!

This is not a small things!

Thank you!

-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

STRONG SECURITY ISSUE on Exim 4.72 (last supported by Webuzo)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Webuzo is using an old version of Exim relased on 2011 who is vulnerable to the POODLE attack and can't have SSL 3 disabled.

Seems to be compiled with GnuTLS.

From my test if I try to disable SSL 3 into Exim by following official instruction here:
https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html

with line tls_require_ciphers = NORMAL:!VERS-SSL3.0

than save and restart exim I can see no more security cipher are supported.
You can see with that command:

openssl s_client -connect mailserver.ext:465

also
if you add on tls_require_ciphers +TLSv1.1:+TLSv1.2:ALL no support
cipher will be supported so you must remove completely
tls_require_ciphers and you cannot disable SSL 3 so your server will
continue to be VULNERABLE.

Also if you disable SSL 3 Thunderbird stop to work because the connection is not secure.

So Webuzo team you have really to solve a BIG issue with email and security.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

STRONG SECURITY ISSUE on Exim 4.72 (last supported by Webuzo)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
This seems to be an issue with RedHat.

A BUG has been opened
https://bugzilla.redhat.com/show_bug.cgi?id=1306345

so now we have to wait, also Webuzo team seems ... cannot do nothing until a solution is not found from RedHat.

-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

STRONG SECURITY ISSUE on Exim 4.72 (last supported by Webuzo)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
A patch has been relased by RedHat and will be testedand relased in the next days.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8e8ac9dfda

Status in now pending test


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

STRONG SECURITY ISSUE on Exim 4.72 (last supported by Webuzo)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
New strongest security issue now http://www.softaculous.com/board/index.php?tid=8759&title=STRONG_Drown_vulnerability


Drown_vulnerability in email... seems SSLv2 also if is disabled is supported by Webuzo server.

I don't know if this can be an issue with Exim and Dovecot or OpenSSL.
This should be understand asap and fixed.

More info at topic where you will able also to test if you are afffected or not: http://www.softaculous.com/board/index.php?tid=8759&title=STRONG_Drown_vulnerability

-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

STRONG SECURITY ISSUE on Exim 4.72 (last supported by Webuzo)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
This is now solved.

For fix this issue you should backup your Exim configuration.
You can do this by using FTPS and download Exim folder in etc
or you can just backup the file exim.conf

After that you need go on Webuzo, Apps and search Exim than remove exim.
If you have customized Exim you will loose customized settings, this is why backup is important.

After removing, please reinstall it.

Now in exim.conf under

tls_certificate = /etc/pki/tls/certs/exim.pem
tls_privatekey = /etc/pki/tls/private/exim.pem

you can add this row:

openssl_options = +no_sslv2 +no_sslv3

than exit and restart exim

You are safe now

Many
thanks to CentOs support, RedHat support and Webuzo Team... and also to
me who discovered this and also new vulnerability in this week end.

-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is March 19, 2024, 10:42 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.023