View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 29, 2020

Critical Bug Fix: OpenBSD Vulnerability Needs Urgent Patching – RCE With Morris Worm Inspiration

Bug lets an attacker execute arbitrary shell commands with elevated privileges

By CBR Staff Writer

Security researchers at Qualys say they’ve identified a remotely exploitable vulnerability in OpenBSD’s mail server — used by a range of Linux distributions.

The critical vulnerability is in OpenSMTPD, a free mail transfer agent that lets machines exchange emails with other systems speaking the SMTP protocol.

The OpenSMTPD vulnerability, which has been exploitable since May 2018, allows an attacker to execute arbitrary shell commands, as root in two ways:

  • Locally, in OpenSMTPD’s default configuration (which listens on
    the loopback interface and only accepts mail from localhost);
  • Remotely, in its “uncommented” default configuration (which listens on all interfaces and accepts external mail).

It is the third set of serious vulnerabilities discovered in OpenBSD over the past two months. Redwood, CA-based Qualys said it has tested a proof of concept against OpenBSD 6.6 (the current release) and Debian testing (Bullseye).

The company warned that various distributions may be exploitable using the vulnerability. It was not immediately clear which distros were vulnerable.

OpenSMTPD Vulnerability, Morris Worm Inspiration

The team say they took inspiration from the 32-year-old Morris worm to exfiltrate data from the OpenSMTPD mail server using the RCE — which allows an attacker to execute arbitrary shell commands with elevated privileges. 

Animesh Jain, Product Manager for Vulnerability Signatures at Qualys said: “penBSD developers have confirmed the vulnerability and also quickly provided a patch. Exploitation of the vulnerability had some limitations in terms of local part length (max 64 characters is allowed) and characters to be escaped (“$”, “|”).

He added: “Qualys researchers were able to overcome these limitations using a technique from the Morris Worm (one of the first computer worms distributed via the Internet, and the first to gain significant mainstream media attention) by executing the body of the mail as a shell script in Sendmail.”

See also: VMware Warns Over AMD Driver Vulnerabilities



Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.