Security researchers at Qualys say they’ve identified a remotely exploitable vulnerability in OpenBSD’s mail server — used by a range of Linux distributions.

The critical vulnerability is in OpenSMTPD, a free mail transfer agent that lets machines exchange emails with other systems speaking the SMTP protocol.

The OpenSMTPD vulnerability, which has been exploitable since May 2018, allows an attacker to execute arbitrary shell commands, as root in two ways:

  • Locally, in OpenSMTPD’s default configuration (which listens on
    the loopback interface and only accepts mail from localhost);
  • Remotely, in its “uncommented” default configuration (which listens on all interfaces and accepts external mail).

It is the third set of serious vulnerabilities discovered in OpenBSD over the past two months. Redwood, CA-based Qualys said it has tested a proof of concept against OpenBSD 6.6 (the current release) and Debian testing (Bullseye).

The company warned that various distributions may be exploitable using the vulnerability. It was not immediately clear which distros were vulnerable.

OpenSMTPD Vulnerability, Morris Worm Inspiration

The team say they took inspiration from the 32-year-old Morris worm to exfiltrate data from the OpenSMTPD mail server using the RCE — which allows an attacker to execute arbitrary shell commands with elevated privileges. 

Animesh Jain, Product Manager for Vulnerability Signatures at Qualys said: “penBSD developers have confirmed the vulnerability and also quickly provided a patch. Exploitation of the vulnerability had some limitations in terms of local part length (max 64 characters is allowed) and characters to be escaped (“$”, “|”).

He added: “Qualys researchers were able to overcome these limitations using a technique from the Morris Worm (one of the first computer worms distributed via the Internet, and the first to gain significant mainstream media attention) by executing the body of the mail as a shell script in Sendmail.”

See also: VMware Warns Over AMD Driver Vulnerabilities