PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9963 Canonical CVE debrief

CVE-2016-9963 describes a key-management flaw in Exim where private DKIM signing material could be exposed through log files and bounce messages. The issue was published on 2017-02-01 and is rated medium severity (CVSS 5.9). If the key is disclosed, an attacker could potentially undermine message authenticity for affected mail domains.

Vendor
Canonical
Product
CVE-2016-9963
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

Email and mail-server operators running Exim, especially administrators of systems that generate DKIM-signed mail. Distribution maintainers and teams that rely on packaged Exim builds from Debian or Ubuntu should also verify whether their installed packages include the fixed release.

Technical summary

The supplied CVE description indicates that Exim versions before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via log files and bounce-message handling. NVD classifies the weakness as CWE-320 (Key Management Errors). The CVSS vector provided is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, which points to a network-reachable confidentiality issue with no impact on integrity or availability.

Defensive priority

Medium. This is a confidentiality-focused issue that can have high downstream impact if a DKIM private key is exposed, but the CVSS score is moderate and exploitation requires the right logging/bounce-message conditions.

Recommended defensive actions

  • Upgrade Exim to a version that includes the fix described in the vendor advisory and ensure affected distro packages are updated.
  • Review mail-server logging and bounce-message handling for any exposure of DKIM private key material.
  • If there is any chance the key was exposed, rotate the DKIM signing key and update DNS records and signing configuration accordingly.
  • Check Debian and Ubuntu security advisories for the appropriate package updates on affected releases.
  • Audit mail infrastructure for other secret-handling issues that could place signing keys in logs or error paths.

Evidence notes

This debrief is based only on the supplied CVE record and its listed references. The CVE description states the issue affects Exim before 4.87.1 and involves logs and bounce messages. NVD lists CWE-320 and the CVSS 3.0 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The supplied CPE data includes Exim up to 4.87 and several affected Ubuntu and Debian releases. No exploit details or unverified remediation steps are included.

Official resources

The CVE record was published on 2017-02-01. The supplied record was later modified on 2026-05-13, but that does not change the original disclosure date.