Hi. Thanks a lot for taking the time to write about this Gilles.
Regards. On Thu, Dec 05, 2019 at 07:59:28AM +0100, Gilles Chehade wrote: > Hello, > > In case you haven't seen, multiple CVE were released by Qualys: > > https://www.openwall.com/lists/oss-security/2019/12/04/5 > > CVE-2019-19521 refers to an Authentication bypass allowing remote people > to authenticate to an OpenSMTPD without credentials. > > A few people were wondering why we didn't publish a patch so here is the > explanation to clarify a bit. > > TL;DR: > - if you're not on OpenBSD, you can disregard, you're not affected > - if you're on OpenBSD, run `syspatch` and, once done, restart smtpd, it > is _normal_ that you don't see an smtpd patch > > > Details: > > The CVE show-cases a vulnerability using smtpd, ldapd, radiusd, sshd and > su but the issue is really in a libc API they use: bsd_auth(3). There is > an incorrect code pattern which is coupled with an insufficient check to > the username, and this allows the authentication bypass that is shown on > multiple consumers. > > So should you worry ? > > If you're not using OpenBSD you can disregard this advisory, bsd_auth(3) > doesn't exist elsewhere. > > If you're using OpenBSD, RUN `syspatch` RIGHT AWAY, then restart daemons > which perform user authentication. The issue being in the libc, you will > not see a patch for smtpd, it is normal, you still have to restart it so > it catches up the libc update. > > If you're using an OpenBSD that's no longer supported (<=6.4) you're now > at risk and need to upgrade or disable network daemons that do auth. > > > Could your OpenSMTPD be used to send spam ? > > If you're not using OpenBSD, nope. > > If you're using OpenBSD, it's technically possible but unlikely. You can > check by going through your logs and looking for user "-schallenge". The > bypass only makes sense for setups that expose auth and provide rules to > match auth users. > > > If you have questions, you can follow up to this mail, > Cheers, > > > -- > Gilles Chehade @poolpOrg > > https://www.poolp.org patreon: https://www.patreon.com/gilles > -- "Do nothing which is of no use." - Miyamoto Musashi --------------------------------------------------------------------- Francisco de Borja Lopez Rio (bo...@codigo23.net) Soluciones Informaticas Codigo23 S.L.U. http://www.codigo23.net
Description: PGP signature