New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers
OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems.
OpenSMTPD, also known as OpenBSD SMTP Server, is an open-source implementation of the Simple Mail Transfer Protocol (SMTP) to deliver messages on a local machine or to relay them to other SMTP servers.
It was initially developed as part of the OpenBSD project but now comes pre-installed on many UNIX-based systems.
Discovered by experts at Qualys Research Labs, who also reported a similar RCE flaw in the email server application last month, the latest out-of-bounds read issue, tracked as CVE-2020-8794, resides in a component of the OpenSMTPD’s client-side code that was introduced nearly 5 years ago.
Just like the previous issue, which attackers started exploiting in the wild just a day after its public disclosure, the new OpenSMTPD flaw could also let remote hackers execute arbitrary commands on the vulnerable servers with privileges of either root or any non-root user.
As described in the screenshot of the advisory, the flaw can be exploited by a local or remote attacker in two ways by sending specially crafted SMTP messages, one works in the default configuration, and the second leverages email bounce mechanism.
“We developed a simple exploit for this vulnerability and successfully tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the first vulnerable release), Debian 10 (stable), Debian 11 (testing), and Fedora 31,” the advisory says.
“We tested our exploit against the recent changes in OpenSMTPD 6.6.3p1, and our results are: if the “mbox” method is used for local delivery (the default in OpenBSD -current), then arbitrary command execution as root is still possible; otherwise (if the “maildir” method is used, for example), arbitrary command execution as any non-root user is possible.”
However, the Qualys team has decided to withhold the exploitation details and exploit code until 26th February, giving vulnerable OpenSMTPD’s users a two-day window to patch their systems.
If you’re also running BSD or Linux servers with a vulnerable version of the OpenSMTPD, you’re advised to download OpenSMTPD 6.6.4 and apply the patch as soon as possible.