LibreSSL Vulnerability Found During OpenSMTPD Bug-Hunt

Researchers investigating ways to cause remote code execution against known vulnerabilities in OpenSMTPD have stumbled across a memory leak in LibreSSL, affecting all versions.

“In order to achieve remote code execution against the vulnerabilities that we recently discovered in OpenSMTPD (CVE-2015-7687), a memory leak is needed,” reads the advisory. “Because we could not find one in OpenSMTPD itself, we started to review the malloc()s and free()s of its libraries, and eventually found a memory leak in LibreSSL’s OBJ_obj2txt() function; we then realized that this function also contains a buffer overflow (an off-by-one, usually stack-based).”

The code reviewers believe attackers could use the memory leak to cause denial-of-service attacks and possibly execute arbitrary code when triggered. However, the buffer overflow does not seem exploitable on OpenBSD x86 systems.

The research points out that deep interdependencies between software can have serious repercussions if one component is found vulnerable. With the vulnerability disclosed, it’s safe to assume attempts to exploit it will follow in the wild.

“These vulnerabilities affect all LibreSSL versions, including LibreSSL 2.0.0 (the first public release) and LibreSSL 2.3.0 (the latest release at the time of writing). OpenSSL is not affected,” reads the same advisory.

No fix is yet available, although the LibreSSL team is working on fixing the problem as soon as possible. Once it is released, we strongly encourage everyone relying on LibreSSL to update it to the latest version.