smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted pattern of client activity, because the filter state machine does not properly maintain the I/O channel between the SMTP engine and the filters layer.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Opensmtpd | Opensmtpd | * | 6.8.0 (excluding) |
| Opensmtpd | Opensmtpd | 6.8.0 (including) | 6.8.0 (including) |
| Opensmtpd | Opensmtpd | 6.8.0-patch1-rc1 (including) | 6.8.0-patch1-rc1 (including) |
| Opensmtpd | Ubuntu | devel | * |
| Opensmtpd | Ubuntu | esm-apps/focal | * |
| Opensmtpd | Ubuntu | esm-apps/jammy | * |
| Opensmtpd | Ubuntu | esm-apps/noble | * |
| Opensmtpd | Ubuntu | focal | * |
| Opensmtpd | Ubuntu | groovy | * |
| Opensmtpd | Ubuntu | hirsute | * |
| Opensmtpd | Ubuntu | impish | * |
| Opensmtpd | Ubuntu | jammy | * |
| Opensmtpd | Ubuntu | kinetic | * |
| Opensmtpd | Ubuntu | lunar | * |
| Opensmtpd | Ubuntu | mantic | * |
| Opensmtpd | Ubuntu | noble | * |
| Opensmtpd | Ubuntu | oracular | * |
| Opensmtpd | Ubuntu | plucky | * |
| Opensmtpd | Ubuntu | questing | * |
| Opensmtpd | Ubuntu | trusty | * |
| Opensmtpd | Ubuntu | trusty/esm | * |
Potential Mitigations
References
- https://github.com/openbsd/src/commit/6c3220444ed06b5796dedfd53a0f4becd903c0d1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LKTFBQCHGMVPR4IZWHQIYAPM5J3LN3J/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TYAYXRV2DM5K4RU7RHCDZSA2UF6VCTRC/
- https://poolp.org/posts/2020-12-24/december-2020-opensmtpd-6.8.0p1-released-fixed-several-bugs-proposed-several-diffs-book-is-on-github/
- https://security.gentoo.org/glsa/202105-12
- https://www.mail-archive.com/misc%40opensmtpd.org/msg05188.html
- https://github.com/openbsd/src/commit/6c3220444ed06b5796dedfd53a0f4becd903c0d1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5LKTFBQCHGMVPR4IZWHQIYAPM5J3LN3J/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TYAYXRV2DM5K4RU7RHCDZSA2UF6VCTRC/
- https://poolp.org/posts/2020-12-24/december-2020-opensmtpd-6.8.0p1-released-fixed-several-bugs-proposed-several-diffs-book-is-on-github/
- https://security.gentoo.org/glsa/202105-12
- https://www.mail-archive.com/misc%40opensmtpd.org/msg05188.html