Vulnerabilities > CVE-2015-7687 - Use After Free vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
openbsd
fedoraproject
CWE-416
critical
nessus
NVD
Published: 2017-10-16
Updated: 2017-11-01

Summary

Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving req_ca_vrfy_smtp and req_ca_vrfy_mta.

Vulnerable Configurations

Part Description Count
Application
Openbsd
6
OS
Fedoraproject
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-ED1C673F09.NASL
    descriptionIssues fixed in this release (since 5.7.2): - fix an mda buffer truncation bug which allows a user to create forward files that pass session checks but fail delivery later down the chain, within the user mda; - fix remote buffer overflow in unprivileged pony process; - reworked offline enqueue to better protect against hardlink attacks. ---- Several vulnerabilities have been fixed in OpenSMTPD 5.7.2: - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory; - multiple denial-of- service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files; - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root
    last seen2020-06-05
    modified2016-03-04
    plugin id89451
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89451
    titleFedora 23 : opensmtpd-5.7.3p1-1.fc23 (2015-ed1c673f09)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2015-ed1c673f09.
#

include("compat.inc");

if (description)
{
  script_id(89451);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2015-7687");
  script_xref(name:"FEDORA", value:"2015-ed1c673f09");

  script_name(english:"Fedora 23 : opensmtpd-5.7.3p1-1.fc23 (2015-ed1c673f09)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Issues fixed in this release (since 5.7.2): - fix an mda buffer
truncation bug which allows a user to create forward files that pass
session checks but fail delivery later down the chain, within the user
mda; - fix remote buffer overflow in unprivileged pony process; -
reworked offline enqueue to better protect against hardlink attacks.
---- Several vulnerabilities have been fixed in OpenSMTPD 5.7.2: - an
oversight in the portable version of fgetln() that allows attackers to
read and write out-of-bounds memory; - multiple denial-of- service
vulnerabilities that allow local users to kill or hang OpenSMTPD; - a
stack-based buffer overflow that allows local users to crash
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;
- a hardlink attack (or race-conditioned symlink attack) that allows
local users to unset the chflags() of arbitrary files; - a hardlink
attack that allows local users to read the first line of arbitrary
files (for example, root's hash from /etc/master.passwd); - a
denial-of-service vulnerability that allows remote attackers to fill
OpenSMTPD's queue or mailbox hard-disk partition; - an out- of-bounds
memory read that allows remote attackers to crash OpenSMTPD, or leak
information and defeat the ASLR protection; - a use-after-free
vulnerability that allows remote attackers to crash OpenSMTPD, or
execute arbitrary code as the non-chrooted _smtpd user; Further
details can be found in Qualys' audit report:
http://seclists.org/oss-sec/2015/q4/17 MITRE has assigned one CVE for
the use-after-free vulnerability; additional CVEs may be assigned:
http://seclists.org/oss-sec/2015/q4/23 External References:
https://www.opensmtpd.org/announces/release-5.7.2.txt
http://seclists.org/oss- sec/2015/q4/17

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  # http://seclists.org/oss-
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/oss-"
  );
  # http://seclists.org/oss-sec/2015/q4/17
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/oss-sec/2015/q4/17"
  );
  # http://seclists.org/oss-sec/2015/q4/23
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/oss-sec/2015/q4/23"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268509"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268794"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268837"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268857"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170448.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?2ffa2c51"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.opensmtpd.org/announces/release-5.7.2.txt"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected opensmtpd package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:opensmtpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/10/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC23", reference:"opensmtpd-5.7.3p1-1.fc23")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "opensmtpd");
}
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_EE7BDF7F11BB4EEAB054C692AB848C20.NASL
    descriptionOpenSMTPD developers report : an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory multiple denial-of-service vulnerabilities that allow local users to kill or hang OpenSMTPD a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files a hardlink attack that allows local users to read the first line of arbitrary files (for example, root
    last seen2020-06-01
    modified2020-06-02
    plugin id86268
    published2015-10-05
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86268
    titleFreeBSD : OpenSMTPD -- multiple vulnerabilities (ee7bdf7f-11bb-4eea-b054-c692ab848c20)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(86268);
  script_version("2.5");
  script_cvs_date("Date: 2018/11/10 11:49:44");

  script_cve_id("CVE-2015-7687");

  script_name(english:"FreeBSD : OpenSMTPD -- multiple vulnerabilities (ee7bdf7f-11bb-4eea-b054-c692ab848c20)");
  script_summary(english:"Checks for updated package in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote FreeBSD host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"OpenSMTPD developers report :

an oversight in the portable version of fgetln() that allows attackers
to read and write out-of-bounds memory

multiple denial-of-service vulnerabilities that allow local users to
kill or hang OpenSMTPD

a stack-based buffer overflow that allows local users to crash
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user

a hardlink attack (or race-conditioned symlink attack) that allows
local users to unset the chflags() of arbitrary files

a hardlink attack that allows local users to read the first line of
arbitrary files (for example, root's hash from /etc/master.passwd)

a denial-of-service vulnerability that allows remote attackers to fill
OpenSMTPD's queue or mailbox hard-disk partition

an out-of-bounds memory read that allows remote attackers to crash
OpenSMTPD, or leak information and defeat the ASLR protection

a use-after-free vulnerability that allows remote attackers to crash
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.opensmtpd.org/announces/release-5.7.2.txt"
  );
  # https://vuxml.freebsd.org/freebsd/ee7bdf7f-11bb-4eea-b054-c692ab848c20.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?cb4657a7"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:opensmtpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/10/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/05");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"opensmtpd<5.7.2,1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-FD133D52CC.NASL
    descriptionIssues fixed in this release (since 5.7.2): - fix an mda buffer truncation bug which allows a user to create forward files that pass session checks but fail delivery later down the chain, within the user mda; - fix remote buffer overflow in unprivileged pony process; - reworked offline enqueue to better protect against hardlink attacks. ---- Several vulnerabilities have been fixed in OpenSMTPD 5.7.2: - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory; - multiple denial-of- service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files; - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root
    last seen2020-06-05
    modified2016-03-04
    plugin id89469
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89469
    titleFedora 22 : opensmtpd-5.7.3p1-1.fc22 (2015-fd133d52cc)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2015-fd133d52cc.
#

include("compat.inc");

if (description)
{
  script_id(89469);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2015-7687");
  script_xref(name:"FEDORA", value:"2015-fd133d52cc");

  script_name(english:"Fedora 22 : opensmtpd-5.7.3p1-1.fc22 (2015-fd133d52cc)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Issues fixed in this release (since 5.7.2): - fix an mda buffer
truncation bug which allows a user to create forward files that pass
session checks but fail delivery later down the chain, within the user
mda; - fix remote buffer overflow in unprivileged pony process; -
reworked offline enqueue to better protect against hardlink attacks.
---- Several vulnerabilities have been fixed in OpenSMTPD 5.7.2: - an
oversight in the portable version of fgetln() that allows attackers to
read and write out-of-bounds memory; - multiple denial-of- service
vulnerabilities that allow local users to kill or hang OpenSMTPD; - a
stack-based buffer overflow that allows local users to crash
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;
- a hardlink attack (or race-conditioned symlink attack) that allows
local users to unset the chflags() of arbitrary files; - a hardlink
attack that allows local users to read the first line of arbitrary
files (for example, root's hash from /etc/master.passwd); - a
denial-of-service vulnerability that allows remote attackers to fill
OpenSMTPD's queue or mailbox hard-disk partition; - an out- of-bounds
memory read that allows remote attackers to crash OpenSMTPD, or leak
information and defeat the ASLR protection; - a use-after-free
vulnerability that allows remote attackers to crash OpenSMTPD, or
execute arbitrary code as the non-chrooted _smtpd user; Further
details can be found in Qualys' audit report:
http://seclists.org/oss-sec/2015/q4/17 MITRE has assigned one CVE for
the use-after-free vulnerability; additional CVEs may be assigned:
http://seclists.org/oss-sec/2015/q4/23 External References:
https://www.opensmtpd.org/announces/release-5.7.2.txt
http://seclists.org/oss- sec/2015/q4/17

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  # http://seclists.org/oss-
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/oss-"
  );
  # http://seclists.org/oss-sec/2015/q4/17
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/oss-sec/2015/q4/17"
  );
  # http://seclists.org/oss-sec/2015/q4/23
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/oss-sec/2015/q4/23"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268509"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268794"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268837"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268857"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169600.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?652a6f03"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.opensmtpd.org/announces/release-5.7.2.txt"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected opensmtpd package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:opensmtpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/10/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC22", reference:"opensmtpd-5.7.3p1-1.fc22")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "opensmtpd");
}

References