Industry News

LibreSSL Vulnerability Found During OpenSMTPD Bug-Hunt

Researchers investigating ways to cause remote code execution against known vulnerabilities in OpenSMTPD have stumbled across a memory leak in LibreSSL, affecting all versions.

“In order to achieve remote code execution against the vulnerabilities that we recently discovered in OpenSMTPD (CVE-2015-7687), a memory leak is needed,” reads the advisory. “Because we could not find one in OpenSMTPD itself, we started to review the malloc()s and free()s of its libraries, and eventually found a memory leak in LibreSSL’s OBJ_obj2txt() function; we then realized that this function also contains a buffer overflow (an off-by-one, usually stack-based).”

The code reviewers believe attackers could use the memory leak to cause denial-of-service attacks and possibly execute arbitrary code when triggered. However, the buffer overflow does not seem exploitable on OpenBSD x86 systems.

The research points out that deep interdependencies between software can have serious repercussions if one component is found vulnerable. With the vulnerability disclosed, it’s safe to assume attempts to exploit it will follow in the wild.

“These vulnerabilities affect all LibreSSL versions, including LibreSSL 2.0.0 (the first public release) and LibreSSL 2.3.0 (the latest release at the time of writing). OpenSSL is not affected,” reads the same advisory.

No fix is yet available, although the LibreSSL team is working on fixing the problem as soon as possible. Once it is released, we strongly encourage everyone relying on LibreSSL to update it to the latest version.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.