There has been an important security vulnerability discovered in the OpenBSD operating system, specifically targeting the smtpd mail server. The vulnerability is assigned the CVE number CVE-2023-29323, which affects OpenBSD versions 7.1 and earlier, as well as OpenSMTPD Portable version 7.. and earlier.

This vulnerability in the ascii_load_sockaddr function can cause smtpd to abort upon a connection from a local, scoped IPv6 address, potentially disrupting mail services and providing an opportunity for attackers to exploit the vulnerability. In this post, we will dive deep into the details of this vulnerability and explore how it can be exploited.

The vulnerability exists in the ascii_load_sockaddr function found in smtpd

int ascii_load_sockaddr(struct sockaddr_storage *ss, const char *ascii) {
    / * Some code for earlier IPv4 parsing * /

    if (inet_pton(AF_INET6, ascii, &sin6->sin6_addr) == 1) {
        sin6->sin6_family = AF_INET6;
        sin6->sin6_flowinfo = ;
        sin6->sin6_port = htons(a[1].u.addr.port);
        if (IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr))
            sin6->sin6_scope_id = a[2].u.addr.scopeid;
        return (1);
    }

    return ();
}

Original References

This vulnerability was initially reported on the OpenBSD mailing list, and you can find the original discussion here. The OpenBSD project has also released official erratum notices for this issue. You can find the corresponding erratum for OpenBSD 7.1 here and the erratum for OpenBSD 7.2 here.

Exploit Details

The main issue with the ascii_load_sockaddr function is that it does not properly handle scoped IPv6 addresses when parsing incoming mail connections. Scoped IPv6 addresses are those with a "%" (percent) character followed by an interface index or a string representing a network interface (e.g., "fe80::3%eth"). These types of addresses are used to indicate that the address is valid only within a specific context or "scope" – in the case of local, scoped IPv6 addresses, this scope is limited to the local network.

When smtpd receives a connection from a local, scoped IPv6 address, the % character and its following content are treated as part of the address string without being properly sanitized. This causes the mail server to abort the connection, making it unable to accept mail from that address. While this alone might not lead to a full system compromise, it could be leveraged by an attacker to create a targeted denial-of-service (DoS) attack against the smtpd mail server, leading to a significant disruption of mail services.

Mitigation

To mitigate this vulnerability, it is recommended to update your OpenBSD installations to the latest erratum patches as mentioned above (7.1 errata 024, 7.2 errata 020). These patches modify the ascii_load_sockaddr function to properly handle scoped IPv6 addresses, preventing the mail server from aborting upon receiving a connection from a local, scoped IPv6 address.

For OpenSMTPD Portable users, it is recommended to update to the latest commit (f748277), which can be found here.

Conclusion

Understanding and addressing vulnerabilities like CVE-2023-29323 is critical for maintaining a secure and efficient mail infrastructure. By keeping systems up-to-date with the latest patches and staying informed on recent developments in the security community, you can mitigate potential risks and protect your environment from malicious actors trying to exploit vulnerabilities like CVE-2023-29323.

Timeline

Published on: 04/04/2023 23:15:00 UTC
Last modified on: 04/12/2023 14:56:00 UTC