Security Metrics PCI compliance - Exim fails test?

Posted on 2008-10-08
Last Modified: 2013-12-16
Currently running:
WHM 11.23.2 cPanel 11.23.6-R27698
REDHAT Enterprise 5.2 i686 on standard - WHM X v3.1.0

This one is driving me crazy. I've absolutely looked at everything, updated everything, checked everything, etc. But still, the last three security scans from Security Metrics returns this failure:

The remote host is running a version of the Exim MTA which is vulnerable to several remote buffer overflows. Specifically, if either 'headers_check_syntax' or 'sender_verify = true' is in the exim.conf file, then a remote attacker may be able to execute a classic stack- based overflow and gain inappropriate access to the machine. *** If you are running checks with safe_checks enabled, this may be a false positive as only banners were used to assess the risk! *** It is known that Exim 3.35 and 4.32 are vulnerable. Solution: Upgrade to Exim latest version Risk Factor: High

-- YES - We do indeed have the latest version of Exim installed (see the version readout below).

-- YES - The following are not found in any of our configuration files for Exim: headers_check_syntax, sender_verify and also by-the-way safe_checks (This is logical, because these variables probably only apply to former versions of Exim.)

Here's the latest exim -bV readout:

Exim version 4.69 #1 built 10-Jun-2008 11:34:56
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006)
Support for: crypteq iconv() PAM Perl OpenSSL Content_Scanning Old_Demime Experimental_SPF Experimental_SRS Experimental_DomainKeys Experimental_DKIM
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Size of off_t: 8
Configuration file is /etc/exim.conf

Anyone know what could possibly be going on here?

Thanks very much!
Question by:joetac
  • 3
  • 2
LVL 40

Expert Comment

ID: 22674327
Appearantly it cannot determine what version of Exim is running.
You can check if it sais the version in the banner sent to the mail client:

$ telnet mailserver 25  # should respond with:, You disconnect by sending QUIT
220 ServerName ESMTP Exim 4.69 Thu, 09 Oct 2008 01:00:54 +0200
221 ServerName closing connection

... If there is a different banner it might confuse the scanner?

Author Comment

ID: 22674467
Yes, one would think, but here's what I get locally (replacing the actual server name below):

$ telnet localhost 25
Connected to localhost (
Escape character is '^]'. ESMTP Exim 4.69 #1 Wed, 08 Oct 2008 18:40:55 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

I also get this is what I get when doing this from another server with (something like):'
telnet 25

And of course we've triple checked that the Security Metrics scanner is not being blocked, indeed all other scan tests have passed.
LVL 40

Accepted Solution

noci earned 500 total points
ID: 22683287

that means that either it is a generic comment in the Security Metrics scanner,
when exim is detected..., or it is a problem with the scanner matching a version....

IMHO, it is the first. the comment is rather generic, are there newer rule files for this scanner?

I am not aware of any newer version for exim.

Author Comment

ID: 22683788
Thanks noci. Do you have any recommendations with regard to what I should recommend to our hosted customer? As in, how they should approach Security Metrics with this issue?
LVL 40

Expert Comment

ID: 22684981
That's a big question...., I don't know your customer or the SM-check tool provider.
Clearly the issues at hand are not in the available exim
Version number in the SM-tool are a bit off, the issues at hand were >30 versions of software back... and quite old (4.33 was issued in may 2004).
So either the testbed fails on a small part or as a whole (which implies that if no updates to SM are available, how accurate is it in the things that DID pass it's test),
Rule of Thumb, blind faith in any tool will get you... And tools that don't update regularly are dangerous.
If they observed a certain reaction to you malicious input like sudden loss of connection they should urge to check logs etc.  HOW the disconnect happenned.
The disconnect might well be intentional, in stead of accidental.


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Postfix issues with spam/auth attempts under NAT 9 134
Bash script - Exit out of choice loop 2 55
SSL/TLS - openssl troubleshooting 3 61
Enable SPF on IMSVA 6 22
Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question