Cybersecurity Threat Advisory 0011-20: RCE in OpenSMTPD library (CVE-2020-7247)
There is a critical remote code execution vulnerability in the OpenSMTPD library, impacting BSD and Linux Distros. Exploitation could allow an attacker to execute commands as root. A link to the patch is included in the recommendation section below.
Technical detail and additional information
What is the threat?
Researchers have discovered a critical remote code execution vulnerability in the OpenSMTPD library that allows attackers to execute arbitrary shell commands as the “root”. This exploit can occur in one of two ways:
- LOCALLY in OpenSMTPD’s default configuration (which listens on the loopback interface and only accepts mail from localhost)
- LOCALLY AND REMOTELY in OpenSMTPD’s uncommented default configuration (which listens on all interfaces and accepts external mail)
Researchers from Qualys were able to utilize a technique from the infamous Morris worm in order to execute the exploit. By executing the body of the mail as a shellscript, the researchers were able to bypass character restriction limits.
Why is this noteworthy?
OpenSMPTD is an application of the SMTP protocol used on the server side to exchange email traffic between systems. The application is a member of the OpenBSD project and is also compatible with operating systems like: macOS, Linux (CentOS, Alpine, Debian, Arch, Fedora), NetBSD, and FreeBSD. This specific vulnerability has been exploitable since the code was implemented back in 2018. Therefore, any system that has not been patched with the latest update is vulnerable to this threat.
What is the exposure or risk?
The exploit itself is relatively straightforward and simple. By placing a command in the “MAIL FROM” field, attackers can pass unsanitized input into the internal system. Successful exploitation of this vulnerability could allow remote attackers to execute code as a privileged user. This could present several risks that could lead to the compromise of the mail server and the internal network as a whole. Qualys has created QID 50097 to detect remote and authenticated detections for the vulnerability.
What are the recommendations?
OpenBSD has released a patch to remediate this issue. See reference “019” in the link provided here: https://www.openbsd.org/errata66.html
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.