Posted By: peopleinside on February 4, 2016, 10:31 am |
Hi,
as the topic in the support Forum: http://www.softaculous.com/board/index.php?tid=8585&title=Security_Issue_EXIM_4.72 this Topic is to alert the Developers department of a STRONG SECURITY ISSUE present on the last avaiable and old version of Exim 4.72 supported by Webuzo. Infact this version is affected by the POODLE vulnerability as was relased on 2011, before the STRONG SECURITY ISSUE of SSL 3 and POODLE attack was discovered. Just a remind to tell you is about ONE MONTH but really is more I say to you there are a strong Vulnerability with SSL 3 and POODLE in Webuzo somewhere ... IS about more than one mounth this STRONG SECURITY ISSUE has not been resolved by Webuzo with a patch. I know and hope you are working on relase a new version of Exim who can solve this STRONG SECURITY ISSUE... but please be quick as soon as possibile! This is not a small things! Thank you! ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on February 6, 2016, 5:34 pm | Post: 1 |
Webuzo is using an old version of Exim relased on 2011 who is vulnerable to the POODLE attack and can't have SSL 3 disabled.
Seems to be compiled with GnuTLS. From my test if I try to disable SSL 3 into Exim by following official instruction here: https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html with line tls_require_ciphers = NORMAL:!VERS-SSL3.0 than save and restart exim I can see no more security cipher are supported. You can see with that command: openssl s_client -connect mailserver.ext:465 also if you add on tls_require_ciphers +TLSv1.1:+TLSv1.2:ALL no support cipher will be supported so you must remove completely tls_require_ciphers and you cannot disable SSL 3 so your server will continue to be VULNERABLE. Also if you disable SSL 3 Thunderbird stop to work because the connection is not secure. So Webuzo team you have really to solve a BIG issue with email and security. ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on February 10, 2016, 4:04 pm | Post: 2 |
This seems to be an issue with RedHat.
A BUG has been opened https://bugzilla.redhat.com/show_bug.cgi?id=1306345 so now we have to wait, also Webuzo team seems ... cannot do nothing until a solution is not found from RedHat. ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on February 12, 2016, 12:51 pm | Post: 3 |
A patch has been relased by RedHat and will be testedand relased in the next days.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8e8ac9dfda Status in now pending test ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on March 7, 2016, 10:18 am | Post: 4 |
New strongest security issue now http://www.softaculous.com/board/index.php?tid=8759&title=STRONG_Drown_vulnerability
Drown_vulnerability in email... seems SSLv2 also if is disabled is supported by Webuzo server. I don't know if this can be an issue with Exim and Dovecot or OpenSSL. This should be understand asap and fixed. More info at topic where you will able also to test if you are afffected or not: http://www.softaculous.com/board/index.php?tid=8759&title=STRONG_Drown_vulnerability ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on March 8, 2016, 1:11 pm | Post: 5 |
This is now solved.
For fix this issue you should backup your Exim configuration. You can do this by using FTPS and download Exim folder in etc or you can just backup the file exim.conf After that you need go on Webuzo, Apps and search Exim than remove exim. If you have customized Exim you will loose customized settings, this is why backup is important. After removing, please reinstall it. Now in exim.conf under tls_certificate = /etc/pki/tls/certs/exim.pem tls_privatekey = /etc/pki/tls/private/exim.pem you can add this row: openssl_options = +no_sslv2 +no_sslv3 than exit and restart exim You are safe now Many thanks to CentOs support, RedHat support and Webuzo Team... and also to me who discovered this and also new vulnerability in this week end. ----------------------- PeopleInside Web, security, open source passionate. |