View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 24, 2020updated 25 Feb 2020 9:59am

OpenBSD Pwned, Patched Again: Bug is Remotely Exploitable

Exploit lets user execute arbitrary shell commands as root...

By CBR Staff Writer

There’s a fresh remote code execution (RCE) vulnerability in OpenSMTPD, and by extension in OpenBSD. Yes, it feels like déjà vu all over again.

The severity of the vulnerability, CVE-2020-8794, means that anyone running a public-facing OpenSMTPD deployments should update as soon as possible.

OpenBSD’s developers describe the issue as a “an out of bounds read in smtpd [that] allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.”

Proof of concept code has been developed and tested against OpenBSD 6.6, OpenBSD 5.9, Debian 10, Debian 11 and Fedora 31, security researchers say.

As with a high-profile security vulnerability patched just last month in the free mail transfer agent – which lets machines exchange emails with other systems speaking the SMTP protocol – the bug was spotted by Redwood, California-based security intelligence firm and asset discovery specialist Qualys.

See also: Critical Bug Fix: OpenBSD Vulnerability Needs Urgent Patching – RCE With Morris Worm Inspiration

Qualys said: “This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, ‘when peer outputs a multi-line response …’), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235); or as any non-root user, before May 2018.”

The company added: “We have developed a simple exploit for this vulnerability and successfully tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the first vulnerable release), Debian 10 (stable), Debian 11 (testing), and Fedora 31.

Content from our partners
Powering AI’s potential: turning promise into reality
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline

“To give OpenSMTPD’s users a chance to patch their systems, we are withholding the exploitation details and code until Wednesday, February 26, 2020.”

That is a full 48 hours for end-users to get patching before less helpful types start making use of the vulnerability, so if you’re affected, get the fix in now.

(The vulnerability, says Qualys, is in OpenSMTPD’s client-side code. It is remotely exploitable in OpenSMTPD’s (and hence OpenBSD’s) default configuration.)

A remote server controlled by an attacker (either because it is malicious or compromised, or because of a man-in-the-middle, DNS, or BGP attack – SMTP is not TLS-encrypted by default) can use the bug to execute arbitrary shell commands on the vulnerable installation. Qualys says it has also demonstrated server-side exploitation.

The company thanked OpenBSD’s developers for their “quick response and patches”.

Computer Business Review will take a closer look at this when the public exploit lands on Wednesday. If you have any comments meanwhile, get in touch

See also: Nearly Half of CISOs Have “Given Up” on Proactive Approach to Security

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.