Softaculous

Topic : STRONG SECURITY ISSUE on Exim 4.72 (last supported by Webuzo)

Posted By: peopleinside on February 4, 2016, 10:31 am

Hi,
as the topic in the support Forum:
http://www.softaculous.com/board/index.php?tid=8585&title=Security_Issue_EXIM_4.72

this Topic is to alert the Developers department of a STRONG SECURITY ISSUE present on the last avaiable and old version of Exim 4.72 supported by Webuzo.

Infact this version is affected by the POODLE vulnerability as was relased on 2011, before the STRONG SECURITY ISSUE of SSL 3 and POODLE attack was discovered.

Just a remind to tell you is about ONE MONTH but really is more I say to you there are a strong Vulnerability with SSL 3 and POODLE in Webuzo somewhere ... IS about more than one mounth this STRONG SECURITY ISSUE has not been resolved by Webuzo with a patch.

I know and hope you are working on relase a new version of Exim who can solve this STRONG SECURITY ISSUE... but please be quick as soon as possibile!

This is not a small things!

Thank you!

-----------------------
PeopleInside :angel:

:angel:

Web, security, open source passionate.

Posted By: peopleinside on February 6, 2016, 5:34 pm | Post: 1

Webuzo is using an old version of Exim relased on 2011 who is vulnerable to the POODLE attack and can't have SSL 3 disabled.

Seems to be compiled with GnuTLS.

From my test if I try to disable SSL 3 into Exim by following official instruction here:
https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html

with line tls_require_ciphers = NORMAL:!VERS-SSL3.0

than save and restart exim I can see no more security cipher are supported.
You can see with that command:

openssl s_client -connect mailserver.ext:465

also
if you add on tls_require_ciphers +TLSv1.1:+TLSv1.2:ALL no support
cipher will be supported so you must remove completely
tls_require_ciphers and you cannot disable SSL 3 so your server will
continue to be VULNERABLE.

Also if you disable SSL 3 Thunderbird stop to work because the connection is not secure.

So Webuzo team you have really to solve a BIG issue with email and security.

-----------------------
PeopleInside :angel:

:angel:

Web, security, open source passionate.

Posted By: peopleinside on February 10, 2016, 4:04 pm | Post: 2

This seems to be an issue with RedHat.

A BUG has been opened
https://bugzilla.redhat.com/show_bug.cgi?id=1306345

so now we have to wait, also Webuzo team seems ... cannot do nothing until a solution is not found from RedHat.

-----------------------
PeopleInside :angel:

:angel:

Web, security, open source passionate.

Posted By: peopleinside on February 12, 2016, 12:51 pm | Post: 3

A patch has been relased by RedHat and will be testedand relased in the next days.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8e8ac9dfda

Status in now pending test

-----------------------
PeopleInside :angel:

:angel:

Web, security, open source passionate.

Posted By: peopleinside on March 7, 2016, 10:18 am | Post: 4

New strongest security issue now http://www.softaculous.com/board/index.php?tid=8759&title=STRONG_Drown_vulnerability

Drown_vulnerability in email... seems SSLv2 also if is disabled is supported by Webuzo server.

I don't know if this can be an issue with Exim and Dovecot or OpenSSL.
This should be understand asap and fixed.

More info at topic where you will able also to test if you are afffected or not: http://www.softaculous.com/board/index.php?tid=8759&title=STRONG_Drown_vulnerability

-----------------------
PeopleInside :angel:

:angel:

Web, security, open source passionate.

Posted By: peopleinside on March 8, 2016, 1:11 pm | Post: 5

This is now solved.

For fix this issue you should backup your Exim configuration.
You can do this by using FTPS and download Exim folder in etc
or you can just backup the file exim.conf

After that you need go on Webuzo, Apps and search Exim than remove exim.
If you have customized Exim you will loose customized settings, this is why backup is important.

After removing, please reinstall it.

Now in exim.conf under

tls_certificate = /etc/pki/tls/certs/exim.pem
tls_privatekey = /etc/pki/tls/private/exim.pem

you can add this row:

openssl_options = +no_sslv2 +no_sslv3

than exit and restart exim

You are safe now

Many
thanks to CentOs support, RedHat support and Webuzo Team... and also to
me who discovered this and also new vulnerability in this week end.

-----------------------
PeopleInside :angel:

:angel:

Web, security, open source passionate.

Powered By AEF 1.0.8 © 2007-2008 Electron Inc.