There’s a fresh remote code execution (RCE) vulnerability in OpenSMTPD, and by extension in OpenBSD. Yes, it feels like déjà vu all over again.
The severity of the vulnerability, CVE-2020-8794, means that anyone running a public-facing OpenSMTPD deployments should update as soon as possible.
OpenBSD’s developers describe the issue as a “an out of bounds read in smtpd [that] allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.”
Proof of concept code has been developed and tested against OpenBSD 6.6, OpenBSD 5.9, Debian 10, Debian 11 and Fedora 31, security researchers say.
As with a high-profile security vulnerability patched just last month in the free mail transfer agent – which lets machines exchange emails with other systems speaking the SMTP protocol – the bug was spotted by Redwood, California-based security intelligence firm and asset discovery specialist Qualys.
Qualys said: “This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, ‘when peer outputs a multi-line response …’), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235); or as any non-root user, before May 2018.”
The company added: “We have developed a simple exploit for this vulnerability and successfully tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the first vulnerable release), Debian 10 (stable), Debian 11 (testing), and Fedora 31.
“To give OpenSMTPD’s users a chance to patch their systems, we are withholding the exploitation details and code until Wednesday, February 26, 2020.”
That is a full 48 hours for end-users to get patching before less helpful types start making use of the vulnerability, so if you’re affected, get the fix in now.
(The vulnerability, says Qualys, is in OpenSMTPD’s client-side code. It is remotely exploitable in OpenSMTPD’s (and hence OpenBSD’s) default configuration.)
A remote server controlled by an attacker (either because it is malicious or compromised, or because of a man-in-the-middle, DNS, or BGP attack – SMTP is not TLS-encrypted by default) can use the bug to execute arbitrary shell commands on the vulnerable installation. Qualys says it has also demonstrated server-side exploitation.
The company thanked OpenBSD’s developers for their “quick response and patches”.
Computer Business Review will take a closer look at this when the public exploit lands on Wednesday. If you have any comments meanwhile, get in touch.