RCE in OpenSMTPD library impacts BSD and Linux distros

guest · Jan 29, 2020

RCE in OpenSMTPD library impacts BSD and Linux distros
Vulnerability, tracked as CVE-2020-7247, can be exploited remotely over the internet
January 29, 2020
https://www.zdnet.com/article/rce-in-opensmtpd-library-impacts-bsd-and-linux-distros/

Security researchers have discovered a vulnerability inside a core email-related library used by many BSD and Linux distributions.
The vulnerability, tracked as CVE-2020-7247, impacts OpenSMTPD, an open-source implementation of the server-side SMTP protocol.

The OpenSMTPD library was initially developed for the OpenBSD operating system, but the library was open-sourced, and its "portable version" has also been incorporated into other OSes, such as FreeBSD, NetBSD, and some Linux distros, such as Debian, Fedora, Alpine Linux, and more.
VULNERABILITY LETS REMOTE ATTACKERS RUN CODE AS ROOT
At the technical level, the vulnerability is a "local privilege escalation" and "remote code execution" flaw that can be abused to run code remotely on a server that uses the OpenSMTPD client.
Click to expand...

A PATCH IS AVAILABLE
OpenSMTPD developers have confirmed the vulnerability and have released a patch earlier today -- OpenSMTPD version 6.6.2p1.

Technical details and proof of concept exploit code are available in the Qualys CVE-2020-7247 security advisory.
Click to expand...

guest · Feb 2, 2020

OpenSMTPD vulnerable to local privilege escalation and remote code execution
Vulnerability Note VU#390745
January 31, 2020
https://kb.cert.org/vuls/id/390745/

Overview
Qualys Research Labs found that the smtp_mailaddr() function in OpenSMTPD version 6.6 does not properly sanitize user input, which could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root.
Description
OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol (SMTP) that is part of the OpenBSD Project. OpenSMTPD's smtp_mailaddr() function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty, smtp_mailaddr() will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation.
Impact
An attacker could send a malformed SMTP message that will bypass the smtp_mailaddr() validation and execute arbitrary code. This could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root.
Click to expand...

Solution
Apply an update
OpenBSD has released a patch in OpenSMTPD version 6.6.2p1 to address this vulnerability.
Click to expand...

guest · Feb 25, 2020

New Critical RCE Bug in OpenBSD SMTP Server Threatens Linux Distros
February 25, 2020
https://www.bleepingcomputer.com/ne...-openbsd-smtp-server-threatens-linux-distros/

Security researchers have discovered a new critical vulnerability in the OpenSMTPD email server. An attacker could exploit it remotely to run shell commands as root on the underlying operating system.
OpenSMTPD is present on many Unix-based systems, including FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS).
Bug present since late 2015
Tracked as CVE-2020-8794, the remote code execution bug is present in OpenSMTPD's default installation. Proof-of-concept (PoC) exploit code has been created and will be released tomorrow, February 26.
Researchers at Qualys published a technical report, noting that the issue is an out-of-bounds read introduced in December 2015 with commit 80c6a60c.
PoC ready, to be released
The PoC created by Qualys has been tested successfully on the current OpenBSD 6.6, OpenBSD 5.9, Debian 10, Debian 11 and Fedora 31. Given that it will become public tomorrow, system administrators are urged to apply the latest patches.
The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing "AS SOON AS POSSIBLE."
Click to expand...

guest · Mar 12, 2020

OpenSMTPD Vulnerability (CVE-2020-8794) Can Lead to Root Privilege Escalation and Remote Code Execution
March 12, 2020
https://blog.trendmicro.com/trendla...ivilege-escalation-and-remote-code-execution/

This is the third OpenSMTPD vulnerability found in the last month, with the previous two being a remote code execution vulnerability (CVE-2020-7247) that allows attackers to execute arbitrary commands as root through a specially crafted SMTP session and a vulnerability (CVE-2020-8793) that allows local users to potentially read arbitrary system files.
This vulnerability (CVE-2020-8794) is especially notable since it affects default installations of OpenSMTPD and the most current release of OpenBSD (version 6.6 at the time of writing) ships with a vulnerable version.

CVE-2020-8794, originally introduced to OpenSMTPD in version 5.7.1 and included in OpenBSD as of December 2015, allowed attackers to run commands as any non-root user. The effect of the flaw worsened after OpenSMTPD switched to a new message grammar in May 2018, where it allowed attackers to run commands as root.
The vulnerability is located in the client-side portion of the code [...] Client-side exploitation is the simpler method.
Click to expand...

It should be noted that even if a server is using an older version that does not allow the attacker to execute commands as root, there are still significant risks since an attacker could still run many malicious commands. It is also possible for the attacker to elevate their privilege if combined with other exploits.
Click to expand...

Log in or Sign up

RCE in OpenSMTPD library impacts BSD and Linux distros

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

RCE in OpenSMTPD library impacts BSD and Linux distros

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches