Experts discovered a new critical remote code execution vulnerability in the OpenSMTPD that could allow hacking email servers running BSD or Linux.

A new critical remote code execution vulnerability was discovered in the OpenSMTPD that could be exploited by attackers to take complete control over email servers running BSD or Linux operating systems.

OpenSMTPD is an open-source implementation of the server-side SMTP protocol as defined by RFC 5321, it includes also some additional standard extensions. It allows ordinary machines to exchange emails with other systems speaking the SMTP protocol.

OpenSMTPD is present in many Linux distros, including on FreeBSD, NetBSD, Debian, Fedora, and Alpine Linux.

The new vulnerability was discovered by researchers from Qualys Research Labs, it is a read issue tracked as CVE-2020-8794.

The vulnerability resides in a component of the OpenSMTPD’s client-side code that was introduced in December 2015.

“We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, “when peer outputs a multi-line response …”), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, “switch smtpd to new grammar”); or as any non-root user, before May 2018.” reads the advisory published by the experts.

Experts pointed out that the attackers in the wild started exploiting the issue a few hours its disclosure.

The vulnerability could be exploited by a local or remote attacker in two by sending specially crafted SMTP messages. The experts described two attack scenarios related to Client-side exploitation and Server-side exploitation. The first scenario sees the remote exploitation of the flaw on a server with a default configuration, while in the second scenario the attackers first connect to the OpenSMTPD server then send an email that creates a bounce.

Experts developed a working exploit that successfully tested against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the first ) , Debian 10 (stable), Debian 11 (testing), and Fedora 31.

“We tested our exploit against the recent changes in OpenSMTPD 6.6.3p1, and our results are: if the “mbox” method is used for local delivery (the default in OpenBSD -current), then arbitrary command execution as root is still possible; otherwise (if the “maildir” method is used, for example), arbitrary command execution as any non-root user is possible.” continues the advisory.

Qualys plans to reveal exploitation details and exploit code after the 26th of February to give OpenSMTPD users the time to address their systems.

Admins of BSD or Linux servers are advised to download OpenSMTPD 6.6.4p1 and apply the patch as soon as possible.

In January, the same team of experts from Qualys spotted another vulnerability in the OpenSMTPD, tracked as CVE-2020-7247.

Pierluigi Paganini