DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th February 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default RCE bug in OpenSMTPD email server

Quote:
021: SECURITY FIX: February 24, 2020 All architectures
An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
https://www.openbsd.org/errata66.html

New Critical RCE Bug in OpenBSD SMTP Server Threatens Linux Distros
Quote:
Tracked as CVE-2020-8794, the remote code execution bug is present in OpenSMTPD's default installation. Proof-of-concept (PoC) exploit code has been created and will be released tomorrow, February 26.

Researchers at Qualys published a technical report, noting that the issue is an out-of-bounds read introduced in December 2015 with commit 80c6a60c.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #2   (View Single Post)  
Old 26th February 2020
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

The attack vector is somewhat "original", What do you think?
Reply With Quote
  #3   (View Single Post)  
Old 26th February 2020
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default

Quote:
Only two remote holes in the default install, in a heck of a long time!
OpenSMTPD is in the base, and
Quote:
An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root.
would dispel that first quote as being true.

They just had a vulnerability too. Doesn't seem like that audit is working for an operating system whose claim to fame is security.
Reply With Quote
  #4   (View Single Post)  
Old 27th February 2020
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 167
Default

Quote:
Originally Posted by gpatrick View Post
OpenSMTPD is in the base, and would dispel that first quote as being true.

They just had a vulnerability too. Doesn't seem like that audit is working for an operating system whose claim to fame is security.
From what I read, smtpd is only enabled locally, to make it available to the outside world one need to configure it to 'open' it up.

Thus, if what I have read is true, the statement still stands.
Reply With Quote
  #5   (View Single Post)  
Old 27th February 2020
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default

I realize that will be their stock answer, but that is just ridiculous. What good is a computer if you can't use it? It would be like a 1981 computer that just sits there and impresses people who see it.

Every operating system can be considered secure then, even Windows, if you don't connect it to the internet or enable anything.

The default install is secure! But you can't do anything with it.
Reply With Quote
  #6   (View Single Post)  
Old 27th February 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

In this particular RCE case, the default configuration does not listen for incoming SMTP traffic, but it permits outgoing traffic to be sent. It is in the bounce back of outgoing traffic where the attack surface occurs, and where a specially crafted header can be used in a successful attack. It's an RCE. Really.

Sorry gpatrick, that this particular bug has angered you. Bugs happen. Audits are conducted by humans. I'm not going to apologize for the Project -- I'm not a member. If this is the straw that has broken your particular camel's back, you're welcome to transition to another MTA platform -- the OS has mailwrapper(8) specifically to give you the choice -- or, transition to another OS entirely.
Reply With Quote
  #7   (View Single Post)  
Old 27th February 2020
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

It happens to them all one way or another.....
i.e.
https://www.forbes.com/sites/zakdoff.../#21bab0dcb232
Reply With Quote
  #8   (View Single Post)  
Old 29th February 2020
openletter openletter is offline
Real Name: Paul
New OpenBSD User
 
Join Date: Feb 2020
Posts: 23
Default

I'm only an enthusiast and new to OpenBSD, but while the default install* of OpenSMTP includes sending outbound mail, I don't see anything on the server configured to send outbound mail. I do wonder if the OpenBSD project is perhaps trolling with that statement on their home page.

However, with a default install of OpenBSD I have at the very least a SOCKS proxy; an actually useful tool. I could also argue that Windows is useful for word processing, spreadsheets and other tasks without being connected to teh interwebs.

Issues regarding the utility of a computer ca. 1981 are related to available software and capabilities of the hardware. By modern standards, you couldn't even open an empty spreadsheet (.xlsx or .ods).


* So far I have only been learning with the Vultr image. I don't know how or if they have modified the OS.
Reply With Quote
  #9   (View Single Post)  
Old 29th February 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

This is what you should see in /etc/mail/smtpd.conf with a default install of 6.6-release. It is the action to relay which opens an SMTP session with other servers:
Code:
#    $OpenBSD: smtpd.conf,v 1.12 2019/07/24 15:31:53 kmos Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

table aliases file:/etc/mail/aliases

# To accept external mail, replace with: listen on all
#
listen on lo0

action "local_mail" mbox alias <aliases>
action "outbound" relay

# Uncomment the following to accept external mail for domain "example.org"
#
# match from any for domain "example.org" action "local_mail"
match for local action "local_mail"
match for any action "outbound"
Vultr makes a number of minor provisioning changes to their -release image, the most egregious of which is a useless filesystem partitioning schema. The general guidance by those of us who are Vultr customers is to:
  1. Create any new VPS instance using their OpenBSD image. This ensures the physical server Vultr selects has its KVM hypervisor provisioned correctly for OpenBSD guests. Not all do.
  2. Reboot the new instance from the NoVNC console, and at the boot> prompt, type bsd.rd, press the Enter key and boot the RAMDISK kernel.
  3. At the "Install, Upgrade, Autoinstall, or Shell?" prompt, select Install and complete a brand new installation with filesets from the Project's mirrors, using your own selected partitioning layout.

Last edited by jggimi; 29th February 2020 at 03:35 PM. Reason: typo, clarity
Reply With Quote
Old 1st March 2020
openletter openletter is offline
Real Name: Paul
New OpenBSD User
 
Join Date: Feb 2020
Posts: 23
Default

Geez, I just figured out that the mail command can be used to send email to remote servers, so they do need to update their home page. On my first install I immediately installed mutt, so I didn't really play around with default mail.

Thank you for the install tip on Vultr. I'll use that for new servers from now on.
Reply With Quote
Old 1st March 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I think you're confusing a mail user agent (MUA) with a mail transfer agent (MTA). The first is for use by human beings, the latter are to transfer mail between servers. As examples, mutt, mail(1), Thunderbird, and Outlook are MUAs, while smtpd(8), sendmail, Postfix, and Exchange are MTAs.
Reply With Quote
Old 1st March 2020
openletter openletter is offline
Real Name: Paul
New OpenBSD User
 
Join Date: Feb 2020
Posts: 23
Default

While I'm very far from anything close to an expert on any of this stuff, I've been self-hosting personal mail servers for going on 7 years now*, although a few years ago I ditched self-configuring for Mail-in-a-Box for time reasons. (o:

My previous post was intended to communicate that even with OpenSMTPD being configured to support sending outbound mail, if there isn't anything on the default install that actually tells OpenSMTPD to send outbound mail, then the statement on the project's homepage could still be correct. I posted the followup because I discovered that the mail command can use OpenSMTPD to send outbound mail.

I suspect the confusion you are seeing may be due to how I worded the post, suggesting that I may perceive mail or mutt to be communicating directly with external servers. That wasn't my intent.

* I originally learned how to configure a mail server through this excellent Ex Ratione tutorial. It was originally very deep in search results, though this and later articles on the same site are now at the top of many search queries. This series of mail tutorials are the best I ever found because of the amount of time taken to explain many of the key elements of the configuration, as well as stressing how important it is to review project documentation to better understand the tools as well as to continue to do one's own configuring (which is what i did):

https://www.exratione.com/2012/05/a-...dovecot-mysql/
Reply With Quote
Old 1st March 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
... if there isn't anything on the default install that actually tells OpenSMTPD to send outbound mail
There are mailed cron(8) reports from daily(8)/weekly(8). Without any additional provisioning, those reports are sent to root's mbox. Additionally, any default installation with a connection to the Internet and a nameserver provisioned (such as with DHCP) will permit outgoing mail to a resolvable MX through mail(1) or sendbug(1).

That's not the issue, at least to me. The crux of matter to me is that the default configuration of the MTA is provisioned to send mail via an SMTP session to any remote server defined by MX domain resolution. That presented a previously unrecognized and unanticipated attack surface, provably successful. The RCE error has now been fixed. Whether the Project chooses to update their website is up to them.

Last edited by jggimi; 1st March 2020 at 03:22 PM. Reason: clarity
Reply With Quote
Reply

Tags
email, opensmtpd, rce

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeBSD email server ? roundkat FreeBSD General 1 30th March 2017 03:08 PM
Most Secure Email Server Package EverydayDiesel OpenBSD Security 5 24th July 2013 05:18 AM
OpenSMTPD incoming mail server gpatrick OpenBSD General 2 9th August 2011 10:19 AM
OpenSMTPD gpatrick OpenBSD General 1 23rd February 2011 01:01 AM
Anyone running an OpenBSD email server ? roundkat OpenBSD General 9 10th May 2008 03:08 AM


All times are GMT. The time now is 11:02 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick