资产安全
商业安全
安全服务
返回- 发布日期2023-10-01
- 感知时间2023-10-01
- 漏洞类型安全更新
- 风险等级未知
- 更新版本未知
- 情报贡献TSRC
安全更新
CVE ID: CVE-2021-38371<br/>Date: 2021-08-10<br/>Version(s): up to and including 4.94.2<br/>Reporter: Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel<br/>Reference: https://nostarttls.secvuln.info/<br/>Issue: Possible MitM attack on STARTTLS when Exim is *sending* email.<br/><br/>** The Exim developers do not consider this issue as a security problem.<br/>** Additionally, we do not have any feedback about a successful attack<br/>** using the scenario described below.<br/><br/>Conditions to be vulnerable<br/>===========================<br/><br/>Versions up to (and including) 4.94.2 are vulnerable when<br/>*sending* emails via a connection encrypted via STARTTLS.<br/><br/><br/>Details<br/>=======<br/><br/>When Exim acting as a mail client wishes to send a message,<br/>a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command<br/>by also sending a response to the *next* command, which Exim will<br/>erroneously treat as a trusted response.<br/><br/>Source fixed by<br/>https://git.exim.org/exim.git/commit/1b9ab35f323121aabf029f0496c7227818efad14<br/>commit 1b9ab35f323121aabf029f0496c7227818efad14<br/>Author: Jeremy Harris<br/>Date: Thu Jul 30 20:16:01 2020 +0100<br/><br/>Mitigation<br/>==========<br/><br/>There is - beside updating the server - no known mitigation.<br/><br/>Fix<br/>===<br/><br/>Download and build the fixed version 4.95 or a later version<br/>(4.96 was released in June 2022).<br/>
Exim是一个MTA(Mail Transfer Agent,邮件传输代理)服务器软件,该软件基于GPL协议开发,是一款开源软件。该软件主要运行于类UNIX系统。通常该软件会与Dovecot或Courier等软件搭配使用。Exim同时也是“进出口”(Export-Import)的英文缩写。
<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38371">CVE-2021-38371</a></p>
暂无
暂无
https://www.exim.org/static/doc/security/CVE-2021-38371.txt
微信扫码关注公众号
