In case you haven't seen, multiple CVE were released by Qualys:


CVE-2019-19521 refers to an Authentication bypass allowing remote people
to authenticate to an OpenSMTPD without credentials.

A few people were wondering why we didn't publish a patch so here is the
explanation to clarify a bit.

- if you're not on OpenBSD, you can disregard, you're not affected
- if you're on OpenBSD, run `syspatch` and, once done, restart smtpd, it
  is _normal_ that you don't see an smtpd patch


The CVE show-cases a vulnerability using smtpd, ldapd, radiusd, sshd and
su but the issue is really in a libc API they use: bsd_auth(3). There is
an incorrect code pattern which is coupled with an insufficient check to
the username, and this allows the authentication bypass that is shown on
multiple consumers.

So should you worry ?

If you're not using OpenBSD you can disregard this advisory, bsd_auth(3)
doesn't exist elsewhere.

If you're using OpenBSD, RUN `syspatch` RIGHT AWAY, then restart daemons
which perform user authentication. The issue being in the libc, you will
not see a patch for smtpd, it is normal, you still have to restart it so
it catches up the libc update.

If you're using an OpenBSD that's no longer supported (<=6.4) you're now
at risk and need to upgrade or disable network daemons that do auth.

Could your OpenSMTPD be used to send spam ?

If you're not using OpenBSD, nope.

If you're using OpenBSD, it's technically possible but unlikely. You can
check by going through your logs and looking for user "-schallenge". The
bypass only makes sense for setups that expose auth and provide rules to
match auth users.

If you have questions, you can follow up to this mail,

Gilles Chehade                                                 @poolpOrg

https://www.poolp.org            patreon: https://www.patreon.com/gilles

Reply via email to