Announcement

Collapse
No announcement yet.

OpenBSD denies OpenSMTPD security issues

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    OpenBSD denies OpenSMTPD security issues

    As you know OpenSMTPD was created by OpenBSD claiming other MTAs lacked certain security requirements and features and claiming that their new MTA OpenSMTPD will be a be the most security as much as possible. Unfortunately, this has not been the case in recent months and OpenSMTPD has has suffered from a whole range of vulnerabilities that one could only find in Windows. This has only recently been noticed within the OpenBSD project as shown in this mailing list post:

    Originally posted by [email protected]
    Hi folks, Like many others, when I learned that OpenBSD was creating from scratch an SMTP daemon, I was thrilled. The OpenBSD name has for a long time been connected with security, stability, and reliability. I was excited to see an extremely easy to configure yet powerful SMTP daemon coming from such a venerable project as OpenBSD. Overtime, OpenSMTPD has replaced all other mail daemons for me, and I've been pleased to use another OpenBSD project as part of my critical infrastructure. Code from OpenBSD is code that the community has learned to trust, a reputation matched by few other projects. It has been, therefore, to my extreme dismay to discover in recent months the sheer number of critical security vulnerabilities - in some cases, remotely exploitable - in OpenSMTPD. Just this past week, Qualys has reported an impressive audit result [1], with a scary remote code execution vulnerability among others, and last night I discovered a remotely exploitable buffer overflow that was being triggered in the wild [2]. If you comb through the OpenSMTPD misc mailing list, you'll find scattered reports of other similar bugs -- buffer overflows, remote denial of service vectors, and a host of other nasty glitches and security vulnerabilities -- and if you look at the CVS repository or git repository, you'll see other such goodies baked in there; most of them haven't been publicly revealed as security vulnerabilities and were not assigned CVEs, which is an irreverent point for most reasonably skilled malicious actors. The fact is, OpenSMTPD has suffered a disproportionately high number of security issues, especially for a daemon as important as it. It is not living up to OpenBSD's reputation, and it threatens the OpenBSD.org frontpage security claim. I do not any longer believe OpenSMTPD to be software that is trustable for use in critical infrastructure at this point in time. Personally, I am very attached to OpenSMTPD. I have contributed to its development in, what I think to be, significant ways, and I maintain both distribution packages for it (Gentoo), as well as my entire infrastructure, which is based on OpenSMTPD. I've "bet the farm" on the project, so to speak. But I think it's time we take a step back and reassess the situation. There are some critical questions that need to be answered. What accounts for the high proportion of security vulnerabilities in a project renowned for its brilliant developers and stringent review processes? Do the OpenSMTPD developers have time -- and have they displayed a presence of necessary free time -- to keep the project healthy and moving toward stability at an acceptable pace? Have the correct standards of releases been applied to the OpenSMTPD release process? And most importantly: should OpenSMTPD continue to be a part of the core OpenBSD project? Or should it rather spend some time maturing and securing commitments from developers for maintaining it in a consistent manner, before being accepted by such a reputable organization as OpenBSD? Finally, if OpenSMTPD does continue to exist as a part of core OpenBSD, I would strongly recommend some effort is organized to bring top quality code reviewers and auditors to the source code, in order to give the project the eyeballs it deserves. It would be a great boost in confidence for many who use - or hoped to someday use - OpenSMTPD to see that intelligent minds, capable of securing large codebases, have put their efforts into making it secure. I hope this can begin some discussion on the best way forward toward making OpenSMTPD a piece of infrastructure we can trust. My best wishes for the project. Regards, Jason [1] http://seclists.org/oss-sec/2015/q4/17 [2] http://seclists.org/oss-sec/2015/q4/25
    Unfortunately, in typical OpenBSD attitude to OpenBSD related security flaws, other OpenBSD developers down play the severity of the issue:

    Originally posted by [email protected]
    You obviously never lived through the sendmail era. The smtpd code is very good. Bugs happen, and how the creators of a program react to them is what matters. The qualsys results were promptly dealt with. I don't think there is much to discuss other than diffs that further the project. STeve Andre'
    The problem with this statement is that Unlike Sendmail, OpenSMTPD are maintained by only a handful of developers with questionable skills, ethics and mental sanity making it impossible to "quickly" deal with security issues. the same goes for all BSD related projects.

    We have to think carefully about what is secure and what is not in this day and age as a poorly maintained system like OpenBSD and other BSDs could be the gateway for stolen CCNs, money, blackmail and national security.

    In response to this, some OpenBSD developer came out of the closet and admitted the failure and flaws of the OpenBSD project which confirm what has been known all along. OpenBSD project management is the worst of all and worst then even FreebSD, NetBSD and DragonflyBSD:

    Originally posted by [email protected]
    Unfortunately, this had the unintended consequence of marking all the code in openbsd as "deprecated". All of the openbsd developers were basically waiting for the filter branch to land to avoid too much divergence. We are working to make some adjustments in communications and attitude. I don't think the smtpd developers are to blame for this situation, because the rest of us allowed it to happen. Writing a mail server is a big project, and many of us promised our support, but then that support didn't materialize due to the above. In short, things broke down, but we have a pretty good idea why, and know what to do about it.
    Bottom line is: OpenBSD is not secure and is a failure of an operating system and a cluster f__k of a software project. If you are using or thinking of using OpenBSD right now, please quickly make the switch to Linux before your data is stolen or loss and devastating your business, privacy and live.
    Last edited by endman; 05 October 2015, 06:04 PM.
    Tags: None
    • Likes 1
  • #2
    Someone has just posted a snippet of code from OpenSMTPD and it does not look go:

    Originally posted by [email protected]
    Code:
    static void
filter_tx_io(struct io *io, int evt)
{
    struct filter_session   *s = io->arg;
    size_t                   len, n;
    char                    *data;
    char                    buf[65535];
    switch (evt) {
        case IO_DATAIN:
            data = iobuf_data(&s->ibuf);
            len = iobuf_len(&s->ibuf);
            memmove(buf, data, len);
            buf[len] = 0;
    You just validated all the concerns about the quality of OpenSMTPd and also the need for peer/code reviews. That is not production quality code by any measure.
    If you are using OpenSMTPD, please switch to another mail server immediately before your systems are reversibility compromised. And if you are using OpenBSD please immediately switch to Linux before your data is stole.
    Last edited by endman; 05 October 2015, 08:32 PM.
    • Likes 1

    Comment

    • #3
      Originally posted by endman View Post
      If you are using or thinking of using OpenBSD right now, please quickly make the switch to Linux before your data is stolen or loss and devastating your business, privacy and live.
      Please quickly make the switch to Genode OS, not to Linux. Linux has kernel bugs, that help attackers to circumvent all security policys, even SELinux and AppAmor (security Placebos, that make Linux look secure). Genode OS is proven to be secure by design.

      Comment

      • #4
        Originally posted by endman View Post
        If you are using OpenSMTPD, please switch to another mail server immediately before your systems are reversibility compromised.
        Qmail.

        Comment

        • #5
          Here is the link the related thread on the mailing list: http://marc.info/?t=144406382500006&r=1&w=2

          You can see how much denial they have.

          Also here's more supporting evidence that OpenSMTPD is broken: http://undeadly.org/cgi?action=artic...20151005200020
          • Likes 1

          Comment

          • #6
            The disappearance of the BSD projects had the advantage, that endman would shut up for ever, because there isn't a bogeyman anymore he could point his finger on and say: "thats the bad guy", "bad project management", and so on...
            • Likes 1

            Comment

            • #7
              Nasyt, if someone comes with bold claims about security, they have to face one simple fact: any security related bug will seriously aggravate people who were using this software due to these bold claims of security. Firefox learned it hard way, ages before. And recently they get their butts grilled one more time, when hardcore 0-day JS exploit fucked up their "wannabe-secure" JS-based PDF viewer in a really dumb way and stolen all sorts of sensiive files from millions of systems, stuff like /etc/passwd and ssh keys of current user are included.

              BSDs and their fans are all about this attitude: doing unbacked bold claims about software properties. Then these claims turn out to be not so true or even blatant lies. And for security it works like this: most dangerous time is when you feel yourself safe.
              • Likes 2

              Comment

              • #8
                Originally posted by SystemCrasher
                BSDs and their fans are all about this attitude: doing unbacked bold claims about software properties. Then these claims turn out to be not so true or even blatant lies. And for security it works like this: most dangerous time is when you feel yourself safe.
                #KillAllBSDs

                Comment

                • #9
                  Originally posted by endman View Post
                  #KillAllBSDs
                  The Disappearance of old stuff will spawn new stuff:

                  fictional news - What will happen after the fall of BSD? - Phoronix Forums
                  http://www.phoronix.com/forums/forum/phoronix/general-discussion/47664-fictional-news-what-will-happen-after-the-fall-of-bsd?p=605366#post605366
                  Anything off-topic.

                  Comment

                  • #10
                    Originally posted by SystemCrasher View Post
                    Nasyt, if someone comes with bold claims about security, they have to face one simple fact: any security related bug will seriously aggravate people who were using this software due to these bold claims of security. Firefox learned it hard way, ages before. And recently they get their butts grilled one more time, when hardcore 0-day JS exploit fucked up their "wannabe-secure" JS-based PDF viewer in a really dumb way and stolen all sorts of sensiive files from millions of systems, stuff like /etc/passwd and ssh keys of current user are included.
                    Which means, the bold claims are the problem.

                    Originally posted by SystemCrasher View Post
                    BSDs and their fans are all about this attitude: doing unbacked bold claims about software properties. Then these claims turn out to be not so true or even blatant lies. And for security it works like this: most dangerous time is when you feel yourself safe.
                    Funnily, i had to thing about the bold claims of the Linux fanboys.

                    Comment

                    Previous 1 2 template Next
                    Working...
                    X