Vulnerabilities > CVE-2015-7687 - Use After Free vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving req_ca_vrfy_smtp and req_ca_vrfy_mta.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2015-ED1C673F09.NASL description Issues fixed in this release (since 5.7.2): - fix an mda buffer truncation bug which allows a user to create forward files that pass session checks but fail delivery later down the chain, within the user mda; - fix remote buffer overflow in unprivileged pony process; - reworked offline enqueue to better protect against hardlink attacks. ---- Several vulnerabilities have been fixed in OpenSMTPD 5.7.2: - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory; - multiple denial-of- service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files; - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root last seen 2020-06-05 modified 2016-03-04 plugin id 89451 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89451 title Fedora 23 : opensmtpd-5.7.3p1-1.fc23 (2015-ed1c673f09) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-ed1c673f09. # include("compat.inc"); if (description) { script_id(89451); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-7687"); script_xref(name:"FEDORA", value:"2015-ed1c673f09"); script_name(english:"Fedora 23 : opensmtpd-5.7.3p1-1.fc23 (2015-ed1c673f09)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Issues fixed in this release (since 5.7.2): - fix an mda buffer truncation bug which allows a user to create forward files that pass session checks but fail delivery later down the chain, within the user mda; - fix remote buffer overflow in unprivileged pony process; - reworked offline enqueue to better protect against hardlink attacks. ---- Several vulnerabilities have been fixed in OpenSMTPD 5.7.2: - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory; - multiple denial-of- service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files; - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root's hash from /etc/master.passwd); - a denial-of-service vulnerability that allows remote attackers to fill OpenSMTPD's queue or mailbox hard-disk partition; - an out- of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak information and defeat the ASLR protection; - a use-after-free vulnerability that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; Further details can be found in Qualys' audit report: http://seclists.org/oss-sec/2015/q4/17 MITRE has assigned one CVE for the use-after-free vulnerability; additional CVEs may be assigned: http://seclists.org/oss-sec/2015/q4/23 External References: https://www.opensmtpd.org/announces/release-5.7.2.txt http://seclists.org/oss- sec/2015/q4/17 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://seclists.org/oss- script_set_attribute( attribute:"see_also", value:"https://seclists.org/oss-" ); # http://seclists.org/oss-sec/2015/q4/17 script_set_attribute( attribute:"see_also", value:"https://seclists.org/oss-sec/2015/q4/17" ); # http://seclists.org/oss-sec/2015/q4/23 script_set_attribute( attribute:"see_also", value:"https://seclists.org/oss-sec/2015/q4/23" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268509" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268794" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268837" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268857" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170448.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2ffa2c51" ); script_set_attribute( attribute:"see_also", value:"https://www.opensmtpd.org/announces/release-5.7.2.txt" ); script_set_attribute( attribute:"solution", value:"Update the affected opensmtpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:opensmtpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC23", reference:"opensmtpd-5.7.3p1-1.fc23")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "opensmtpd"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_EE7BDF7F11BB4EEAB054C692AB848C20.NASL description OpenSMTPD developers report : an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory multiple denial-of-service vulnerabilities that allow local users to kill or hang OpenSMTPD a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files a hardlink attack that allows local users to read the first line of arbitrary files (for example, root last seen 2020-06-01 modified 2020-06-02 plugin id 86268 published 2015-10-05 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86268 title FreeBSD : OpenSMTPD -- multiple vulnerabilities (ee7bdf7f-11bb-4eea-b054-c692ab848c20) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(86268); script_version("2.5"); script_cvs_date("Date: 2018/11/10 11:49:44"); script_cve_id("CVE-2015-7687"); script_name(english:"FreeBSD : OpenSMTPD -- multiple vulnerabilities (ee7bdf7f-11bb-4eea-b054-c692ab848c20)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "OpenSMTPD developers report : an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory multiple denial-of-service vulnerabilities that allow local users to kill or hang OpenSMTPD a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files a hardlink attack that allows local users to read the first line of arbitrary files (for example, root's hash from /etc/master.passwd) a denial-of-service vulnerability that allows remote attackers to fill OpenSMTPD's queue or mailbox hard-disk partition an out-of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak information and defeat the ASLR protection a use-after-free vulnerability that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user" ); script_set_attribute( attribute:"see_also", value:"https://www.opensmtpd.org/announces/release-5.7.2.txt" ); # https://vuxml.freebsd.org/freebsd/ee7bdf7f-11bb-4eea-b054-c692ab848c20.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cb4657a7" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:opensmtpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/02"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"opensmtpd<5.7.2,1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2015-FD133D52CC.NASL description Issues fixed in this release (since 5.7.2): - fix an mda buffer truncation bug which allows a user to create forward files that pass session checks but fail delivery later down the chain, within the user mda; - fix remote buffer overflow in unprivileged pony process; - reworked offline enqueue to better protect against hardlink attacks. ---- Several vulnerabilities have been fixed in OpenSMTPD 5.7.2: - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory; - multiple denial-of- service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files; - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root last seen 2020-06-05 modified 2016-03-04 plugin id 89469 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89469 title Fedora 22 : opensmtpd-5.7.3p1-1.fc22 (2015-fd133d52cc) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-fd133d52cc. # include("compat.inc"); if (description) { script_id(89469); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-7687"); script_xref(name:"FEDORA", value:"2015-fd133d52cc"); script_name(english:"Fedora 22 : opensmtpd-5.7.3p1-1.fc22 (2015-fd133d52cc)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Issues fixed in this release (since 5.7.2): - fix an mda buffer truncation bug which allows a user to create forward files that pass session checks but fail delivery later down the chain, within the user mda; - fix remote buffer overflow in unprivileged pony process; - reworked offline enqueue to better protect against hardlink attacks. ---- Several vulnerabilities have been fixed in OpenSMTPD 5.7.2: - an oversight in the portable version of fgetln() that allows attackers to read and write out-of-bounds memory; - multiple denial-of- service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a stack-based buffer overflow that allows local users to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or race-conditioned symlink attack) that allows local users to unset the chflags() of arbitrary files; - a hardlink attack that allows local users to read the first line of arbitrary files (for example, root's hash from /etc/master.passwd); - a denial-of-service vulnerability that allows remote attackers to fill OpenSMTPD's queue or mailbox hard-disk partition; - an out- of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak information and defeat the ASLR protection; - a use-after-free vulnerability that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user; Further details can be found in Qualys' audit report: http://seclists.org/oss-sec/2015/q4/17 MITRE has assigned one CVE for the use-after-free vulnerability; additional CVEs may be assigned: http://seclists.org/oss-sec/2015/q4/23 External References: https://www.opensmtpd.org/announces/release-5.7.2.txt http://seclists.org/oss- sec/2015/q4/17 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://seclists.org/oss- script_set_attribute( attribute:"see_also", value:"https://seclists.org/oss-" ); # http://seclists.org/oss-sec/2015/q4/17 script_set_attribute( attribute:"see_also", value:"https://seclists.org/oss-sec/2015/q4/17" ); # http://seclists.org/oss-sec/2015/q4/23 script_set_attribute( attribute:"see_also", value:"https://seclists.org/oss-sec/2015/q4/23" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268509" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268794" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268837" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1268857" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169600.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?652a6f03" ); script_set_attribute( attribute:"see_also", value:"https://www.opensmtpd.org/announces/release-5.7.2.txt" ); script_set_attribute( attribute:"solution", value:"Update the affected opensmtpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:opensmtpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"opensmtpd-5.7.3p1-1.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "opensmtpd"); }
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170448.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169600.html
- http://www.openwall.com/lists/oss-security/2015/10/03/1
- http://www.securityfocus.com/bid/76975
- https://bugzilla.redhat.com/show_bug.cgi?id=1268793
- https://www.opensmtpd.org/announces/release-5.7.2.txt
- https://www.qualys.com/2015/10/02/opensmtpd-audit-report.txt