CVE-2015-7687 - Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of

CVE-2015-7687

Summary

Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving req_ca_vrfy_smtp and req_ca_vrfy_mta.

References

Vulnerable Configurations

cpe:2.3:a:openbsd:opensmtpd:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.3.2:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.3.2:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.3.3:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.3.3:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.4.1:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.4.1:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.4.2:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.4.2:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.7.1:*:*:*:*:*:*:*
cpe:2.3:a:openbsd:opensmtpd:5.7.1:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 01-11-2017 - 11:50)
Impact:
Exploitability:

CWE

CWE-416

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	76975
confirm	https://bugzilla.redhat.com/show_bug.cgi?id=1268793 https://www.opensmtpd.org/announces/release-5.7.2.txt
fedora	FEDORA-2015-ed1c673f09 FEDORA-2015-fd133d52cc
misc	https://www.qualys.com/2015/10/02/opensmtpd-audit-report.txt
mlist	[oss-security] 20151003 Re: Qualys Security Advisory - OpenSMTPD Audit Report

Last major update

01-11-2017 - 11:50

Published

16-10-2017 - 18:29

Last modified

01-11-2017 - 11:50