A new critical remote code execution vulnerability was discovered in the OpenSMTPD that could be exploited by attackers to take complete control over email servers running BSD or Linux operating systems.
OpenSMTPD is present in many Linux distros, including on FreeBSD, NetBSD, Debian, Fedora, and Alpine Linux.
The new vulnerability was discovered by researchers from Qualys Research Labs, it is a read issue tracked as CVE-2020-8794.
The vulnerability resides in a component of the OpenSMTPD’s client-side code that was introduced in December 2015.
“We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, “when peer outputs a multi-line response …”), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, “switch
Experts pointed out that the
The vulnerability could be exploited by a local or remote attacker in two by sending specially crafted SMTP messages. The experts described two attack scenarios related to Client-side exploitation and Server-side exploitation. The first scenario sees the remote exploitation of the flaw on a server with a default configuration, while in the second scenario the attackers first connect to the OpenSMTPD server then send an email that creates a bounce.
Experts developed a working exploit that successfully tested against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the first
“We tested our exploit against the recent changes in OpenSMTPD 6.6.3p1, and our results are: if the “mbox” method is used for local delivery (the default in OpenBSD -current), then arbitrary command execution as root is still possible; otherwise (if the “maildir” method is used, for example), arbitrary command execution as any non-root user is possible.” continues the advisory.
In January, the same team of experts from Qualys spotted another vulnerability in the OpenSMTPD, tracked as CVE-2020-7247.