OpenSMTPD Local Denial-of-Service Vulnerability via UNIX Domain Socket

A denial-of-service vulnerability has been identified in OpenSMTPD version 7.7.0p0, packaged for openSUSE Tumbleweed. This vulnerability allows local users to crash the OpenSMTPD service by exploiting a world-writable UNIX domain socket used for inter-process communication. The issue arises because the socket, located at '/var/run/smtpd.sock', is writable by all users, enabling them to send malformed messages that cause the 'smtpd: control' daemon to terminate unexpectedly. Additionally, there is a related memory leak issue in the socket handling code that remains unaddressed.

Impact

Exploitation of this vulnerability leads to a local denial-of-service condition, causing the OpenSMTPD service instance to shut down completely. Furthermore, after the main issue is fixed, a memory leak problem allows unprivileged users to gradually consume memory in the 'smtpd: control' instance, causing a delayed denial-of-service effect.

Reproduction

The vulnerability can be reproduced using a Python script that sends a message with an excessive header length to the 'smtpd.sock' UNIX domain socket. This malformed message triggers an error in the 'smtpd' daemon, causing it to exit and take down the entire OpenSMTPD service instance.

Remediation

Upstream has released a bugfix for the main denial-of-service issue, which will be included in the upcoming OpenSMTPD version 7.8.0. Users can also apply a temporary workaround by adjusting the permissions of the 'smtpd.sock' socket to restrict access, although this may interfere with some functionalities.