False positive for VT OID:1.3.6.1.4.1.25623.1.0.151116 (exim)

Hello everybody,

got false positive from VT OID:1.3.6.1.4.1.25623.1.0.151116 for cpe:/a:exim:exim:4.98 while affected version should be <= 4.96.2.

The script is reporting vuln despite the actual exim version because looks like security_message() is always triggered with no version check;

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!version = get_app_version(cpe: CPE, port: port))
  exit(0);
  
report = report_fixed_ver(installed_version: version, fixed_version: "None");
security_message(port: port, data: report);
exit(0);

Script details:
script_oid(“1.3.6.1.4.1.25623.1.0.151116”);
script_version(“2024-10-03T05:05:33+0000”);
script_tag(name:“last_modification”, value:“2024-10-03 05:05:33 +0000 (Thu, 03 Oct 2024)”);
script_tag(name:“creation_date”, value:“2023-09-29 04:31:53 +0000 (Fri, 29 Sep 2023)”);
script_tag(name:“cvss_base”, value:“6.8”);
script_tag(name:“cvss_base_vector”, value:“AV:A/AC:H/Au:N/C:C/I:C/A:C”);
script_cve_id(“CVE-2023-42118”);
script_tag(name:“qod_type”, value:“remote_banner”);
script_name(“Exim <= 4.96.2 libspf2 RCE Vulnerability (Sep 2023)”);

Hello,

and welcome to this community forum.This behavior is currently expected as there is no clear indicator that this has been fixed like e.g. discussed here:

• Vulnerability in SPF macro parsing claimed by "Anonymous" from "The Zero Day Initiative" · Issue #45 · shevek/libspf2 · GitHub (still open / not resolved)
• oss-security - RE: Exim4 MTA CVEs assigned from ZDI
• ZDI-23-1472 | Zero Day Initiative
• https://www.exim.org/static/doc/security/CVE-2023-zdi.txt (Remark about the libspf flaw, so not fixed in Exim after 4.96.2)

Various Major Linux Distributions are still shown as vulnerable like seen here:

• CVE-2023-42118 (Debian)
• 1215788 – (CVE-2023-42118) VUL-0: CVE-2023-42118: libspf2 Integer Underflow Remote Code Execution Vulnerability (SUSE)
• 2241535 – (CVE-2023-42118) CVE-2023-42118 libspf2: Integer Underflow Remote Code Execution Vulnerability (RHEL)

If you disagree with the current assessment please create an override on this report on your own risk.

Another option could be to contact either the vendor or the ZDI for additional info and ask for an update on the affected / fixed status, afterwards the VT could be for sure adjusted.