Security researchers have spotted a vulnerability, tracked as CVE-2020-7247, that affects a core email-related library used by many BSD and Linux distributions.
Security experts from Qualys have discovered a flaw, tracked as CVE-2020-7247, in OpenSMTPD. OpenSMTPD is an open-source implementation of the server-side SMTP protocol as defined by RFC 5321, it includes also some additional standard extensions. It allows ordinary machines to exchange emails with other systems speaking the SMTP protocol.
OpenSMTPD is present in many Linux distros, including on FreeBSD, NetBSD, Debian, Fedora, and Alpine Linux.
The CVE-2020-7247 vulnerability is a local privilege escalation issue and remote code execution flaw that can be exploited by remote attackers to execute arbitrary code with root privileges on a server that uses the OpenSMTPD client.
“Qualys has found a critical vulnerability leading to a possible privilege escalation.” reads the advisory published by Qualys. “It is very important that you upgrade your setups AS SOON AS POSSIBLE.”
An attacker could exploit the flaw by sending malformed SMTP messages to a vulnerable server.
“Nevertheless, our ability to execute arbitrary shell commands through the local part of the sender address is rather limited:
although OpenSMTPD is less restrictive than RFC 5321, the maximum length of a local part should be 64 characters;
the characters in MAILADDR_ESCAPE (for example, ‘$’ and ‘|’) are transformed into ‘:’ characters. To overcome these limitations, we drew inspiration from the Morris worm (https://spaf.cerias.purdue.edu/tech-reps/823.pdf), which exploited the DEBUG vulnerability in Sendmail by executing the body of a mail as a shell script“
OpenSMTPD developers have already released a security patch to address the vulnerability, the OpenSMTPD version 6.6.2p1.
The CVE-2020-7247 flaw was introduced in the OpenSMTPD in May 2018, but many distros still use older implementation of the library that are not impacted.
The experts also released a proof of concept exploit code for the vulnerability.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
January 29, 2020
