Hi.

Thanks a lot for taking the time to write about this Gilles.

Regards.

On Thu, Dec 05, 2019 at 07:59:28AM +0100, Gilles Chehade wrote:
> Hello,
>
> In case you haven't seen, multiple CVE were released by Qualys:
>
>     https://www.openwall.com/lists/oss-security/2019/12/04/5
>
> CVE-2019-19521 refers to an Authentication bypass allowing remote people
> to authenticate to an OpenSMTPD without credentials.
>
> A few people were wondering why we didn't publish a patch so here is the
> explanation to clarify a bit.
>
> TL;DR:
> - if you're not on OpenBSD, you can disregard, you're not affected
> - if you're on OpenBSD, run `syspatch` and, once done, restart smtpd, it
>   is _normal_ that you don't see an smtpd patch
>
>
> Details:
>
> The CVE show-cases a vulnerability using smtpd, ldapd, radiusd, sshd and
> su but the issue is really in a libc API they use: bsd_auth(3). There is
> an incorrect code pattern which is coupled with an insufficient check to
> the username, and this allows the authentication bypass that is shown on
> multiple consumers.
>
> So should you worry ?
>
> If you're not using OpenBSD you can disregard this advisory, bsd_auth(3)
> doesn't exist elsewhere.
>
> If you're using OpenBSD, RUN `syspatch` RIGHT AWAY, then restart daemons
> which perform user authentication. The issue being in the libc, you will
> not see a patch for smtpd, it is normal, you still have to restart it so
> it catches up the libc update.
>
> If you're using an OpenBSD that's no longer supported (<=6.4) you're now
> at risk and need to upgrade or disable network daemons that do auth.
>
>
> Could your OpenSMTPD be used to send spam ?
>
> If you're not using OpenBSD, nope.
>
> If you're using OpenBSD, it's technically possible but unlikely. You can
> check by going through your logs and looking for user "-schallenge". The
> bypass only makes sense for setups that expose auth and provide rules to
> match auth users.
>
>
> If you have questions, you can follow up to this mail,
> Cheers,
>
>
> --
> Gilles Chehade                                                       @poolpOrg
>
> https://www.poolp.org            patreon: https://www.patreon.com/gilles
>

--

"Do nothing which is of no use." - Miyamoto Musashi
---------------------------------------------------------------------
Francisco de Borja Lopez Rio (bo...@codigo23.net)
Soluciones Informaticas Codigo23 S.L.U.
http://www.codigo23.net

Attachment: signature.asc
Description: PGP signature

Reply via email to