CVE-2023-29323 is a denial-of-service vulnerability affecting the smtpd daemon in OpenBSD and OpenSMTPD Portable. The issue lies in the ascii_load_sockaddr function, which improperly handles connections originating from local, scoped IPv6 addresses. When such a connection is received, the smtpd process can abort unexpectedly, causing a denial of service by terminating the mail server process handling SMTP requests. This vulnerability affects OpenBSD versions prior to 7.1 errata 024 and 7.2 before errata 020, as well as OpenSMTPD Portable versions before 7.0.0-portable commit f748277. The vulnerability does not require authentication or user interaction, as it can be triggered simply by establishing a connection from a specially crafted IPv6 local scoped address. No known exploits have been reported in the wild, but the flaw could be exploited by an attacker with network access to the SMTP server to disrupt mail services. The impact is primarily on availability, as the smtpd process aborts, potentially causing mail delivery interruptions. The lack of a CVSS score necessitates an assessment based on the nature of the flaw, which indicates a high severity due to the ease of triggering and the critical role of SMTP servers in organizational communications. The vulnerability is relevant to organizations using OpenBSD or OpenSMTPD for mail services, especially those supporting IPv6 traffic. Remediation involves applying the official errata updates for OpenBSD or upgrading OpenSMTPD Portable to a fixed commit version. Monitoring for unusual SMTP connection patterns from IPv6 scoped addresses can help detect exploitation attempts.

The primary impact of CVE-2023-29323 is denial of service against SMTP servers running vulnerable versions of OpenBSD or OpenSMTPD Portable. For European organizations, this could disrupt email communications, affecting business operations, customer interactions, and internal communications. Organizations relying on OpenBSD-based mail servers or OpenSMTPD Portable in critical infrastructure, government, finance, or healthcare sectors may experience operational outages or degraded service availability. The vulnerability could be exploited by local or remote attackers with network access to the SMTP service, especially in IPv6-enabled environments. Given the increasing adoption of IPv6 in Europe, the risk of exploitation may rise. Disruption of mail services can also impact incident response, alerting, and other security functions that depend on email. While no data confidentiality or integrity compromise is indicated, the availability impact alone can have significant operational and reputational consequences. Organizations with high email traffic or those providing email services to customers are particularly at risk.

To mitigate CVE-2023-29323, European organizations should promptly apply the OpenBSD errata updates: 7.1 errata 024 or later, and 7.2 errata 020 or later, which address this vulnerability. For OpenSMTPD Portable users, upgrading to version 7.0.0-portable or later (post commit f748277) is essential. Network administrators should review firewall and network segmentation policies to restrict SMTP access to trusted sources, especially limiting IPv6 scoped address connections where possible. Monitoring SMTP server logs for abnormal connection attempts from local scoped IPv6 addresses can help detect exploitation attempts early. Implementing rate limiting or connection throttling on SMTP services may reduce the impact of potential DoS attempts. Organizations should also ensure robust incident response plans are in place to quickly restore mail services if disruption occurs. Regular vulnerability scanning and patch management processes should be enforced to maintain up-to-date software versions. Finally, educating network and system administrators about this specific vulnerability and its indicators can improve detection and response.