DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th October 2019
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
Spam Deminer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 277
Default Syspatch 1-2 available for OpenBSD 6.6

Syspatch 1-2 are available for all architectures for OpenBSD 6.6.

http://www.openbsd.org/errata66.html
__________________
hitest
Reply With Quote
  #2   (View Single Post)  
Old 31st October 2019
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 66
Default

The third patch released: now for bgpd(8)!
Reply With Quote
  #3   (View Single Post)  
Old 1st November 2019
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
Spam Deminer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 277
Thumbs up

Quote:
Originally Posted by CiotBSD View Post
The third patch released: now for bgpd(8)!
Thank you!
__________________
hitest
Reply With Quote
  #4   (View Single Post)  
Old 29th January 2020
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 66
Default

syspatch for OpenSMTPD : 2 patches, the 2d is very important about security system.

Gilles Chehade wrote:
https://marc.info/?l=openbsd-tech&m=158025543830138&w=2
Reply With Quote
  #5   (View Single Post)  
Old 29th January 2020
ripe's Avatar
ripe ripe is offline
Shell Scout
 
Join Date: Feb 2013
Location: Occitanie, France
Posts: 115
Default

Thank you.
Reply With Quote
  #6   (View Single Post)  
Old 30th January 2020
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 66
Default

An interesting review by Openwall team about OpenSMTPD "breaches":

https://www.openwall.com/lists/oss-s...y/2020/01/28/3
Reply With Quote
  #7   (View Single Post)  
Old 30th January 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,907
Default

Yep. A logic error in validation, leading to the possibility of arbitrary remote code execution (as root!) when delivering to an mbox. Luckily, none of my OpenSMTPd servers use mbox -- they forward to a central server which uses Maildir -- so I don't need to worry about a previously open attack surface.
Reply With Quote
  #8   (View Single Post)  
Old 30th January 2020
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 238
Default

Quote:
Only two remote holes in the default install, in a heck of a long time!
Since OpenSMTPD is in the OpenBSD base, and this exploit can lead to remote code execution as root, then they will be changing that line?
Reply With Quote
  #9   (View Single Post)  
Old 30th January 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,907
Default

The website is maintained with cvs(1). You're welcome to submit a diff(1).
Reply With Quote
Old 30th January 2020
TronDD TronDD is offline
Package Pilot
 
Join Date: Sep 2014
Posts: 214
Default

Quote:
Originally Posted by gpatrick View Post
Since OpenSMTPD is in the OpenBSD base, and this exploit can lead to remote code execution as root, then they will be changing that line?
smtpd does not listen on an external interface in the default installation.
Reply With Quote
Old 31st January 2020
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 238
Default

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage

Quote:
The delivery agent is invoked by OpenSMTPD executing a shell command
That from an operating system that touts itself as secure, and then allows a shellcode injection attack? This has been hanging out there for at least two years. So much for that careful auditing of all the code.

Last edited by gpatrick; 31st January 2020 at 03:46 AM.
Reply With Quote
Old 31st January 2020
victorvas's Avatar
victorvas victorvas is offline
Real Name: Victor
Fdisk Soldier
 
Join Date: May 2019
Posts: 54
Default

Quote:
Originally Posted by gpatrick View Post
Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage


That from an operating system that touts itself as secure, and then allows a shellcode injection attack? This has been hanging out there for at least two years. So much for that careful auditing of all the code.
Human factor. People make mistakes.
Reply With Quote
Old 31st January 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,907
Default

FWIW, gilles@ has published a post mortem on his blog:

https://poolp.org/posts/2020-01-30/o...ory-dissected/
Reply With Quote
Old 1st February 2020
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 238
Default

Didn't read all of it, but I'm still moving my mail server back to Plan 9 Upas - A Simpler Approach to Network Mail.

Erik Quanstrom also has a paper Scaling Upas about his work on nupas while at Coraid.

Last edited by gpatrick; 1st February 2020 at 12:38 AM.
Reply With Quote
Old 1st February 2020
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,588
Default

From https://poolp.org/posts/2020-01-30/o...ory-dissected/
Quote:
Since this blew to my face, I had several ideas to tackle this. Some were already discussed and not retained because they had potential for other issues. The current ideas are these:
  • switching back mail delivery agents to execle()
  • disallowing delivery to root
[snip]
It has been a long time since I used Daniel Bernstein's qmail, but one of the many precautions Bernstein takes to make qmail safe is not delivering any mail to 'root' or any other user with '0' as userid.

In my 'install.site" script I always use the following patch script snippet to configure non-root mail delivery:
Code:
echo --- patch script for: aliases \( generated: Sun 2011-02-20 18:26 CET\) --- BEGIN 

# ---  edit the following line if needed
FILE=/etc/mail/aliases

EXT="$(date "+%Y%m%d_%H%M%S")"

patch -b -z ${EXT} -p0 ${FILE} <<END_OF_PATCH
--- ORIG/aliases        Sun Feb 20 03:20:19 2011
+++ NEW/aliases Sun Feb 20 17:13:19 2011
@@ -69,9 +69,9 @@
 sshd:   /dev/null
 
 # Well-known aliases -- these should be filled in!
-# root:
-# manager:
-# dumper:
+root:          j65nko
+manager:       root
+dumper:                root
 
 # RFC 2142: NETWORK OPERATIONS MAILBOX NAMES
 abuse:         root
END_OF_PATCH

echo  --- patch script for: aliases --- END
# -----------------
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 4 Weeks Ago
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 66
Default

We continue with a new patch for OpenSMTPD, on 6.5, 6.6 and all archs.

Quote:
021: SECURITY FIX: February 24, 2020 All architectures
An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
In FR!
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733

Last edited by CiotBSD; 2 Weeks Ago at 11:34 PM.
Reply With Quote
Old 2 Weeks Ago
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 66
Default

A new patch for sysctl on 6.5, 6.6 and all archs:

Quote:
022: RELIABILITY FIX: March 10, 2020 All architectures
Missing input validation in sysctl(2) can be used to crash the kernel.
in FR!
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733
Reply With Quote
Old 2 Weeks Ago
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 66
Default

A new patch for 6.5, and 6.6, for UDP broadcast and multicast socket.
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Restrict doas.conf to syspatch only bsd007 OpenBSD Security 19 19th October 2018 01:05 AM
syspatch cron job bsdsource OpenBSD General 4 29th June 2018 04:05 PM
syspatch on only two architectures? pawkolor OpenBSD General 9 22nd October 2017 05:39 PM
syspatch appears to get stuck Prevet OpenBSD Installation and Upgrading 2 9th October 2017 07:56 PM


All times are GMT. The time now is 06:35 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick