CVE-2020-7247 RCE flaw in OpenSMTPD library affects many BSD and Linux distros

Security researchers have spotted a vulnerability, tracked as CVE-2020-7247, that affects a core email-related library used by many BSD and Linux distributions.

Security experts from Qualys have discovered a flaw, tracked as CVE-2020-7247, in OpenSMTPD. OpenSMTPD is an open-source implementation of the server-side SMTP protocol as defined by RFC 5321, it includes also some additional standard extensions. It allows ordinary machines to exchange emails with other systems speaking the SMTP protocol.

OpenSMTPD is present in many Linux distros, including on FreeBSD, NetBSD, Debian, Fedora, and Alpine Linux.

The CVE-2020-7247 vulnerability is a local privilege escalation issue and remote code execution flaw that can be exploited by remote attackers to execute arbitrary code with root privileges on a server that uses the OpenSMTPD client.

“Qualys has found a critical vulnerability leading to a possible privilege escalation.” reads the advisory published by Qualys. “It is very important that you upgrade your setups AS SOON AS POSSIBLE.”

An attacker could exploit the flaw by sending malformed SMTP messages to a vulnerable server.

The experts pointed out that exploitation had some limitations:

“Nevertheless, our ability to execute arbitrary shell commands through the local part of the sender address is rather limited:

• although OpenSMTPD is less restrictive than RFC 5321, the maximum length of a local part should be 64 characters;
• the characters in MAILADDR_ESCAPE (for example, ‘$’ and ‘|’) are transformed into ‘:’ characters. To overcome these limitations, we drew inspiration from the Morris worm (https://spaf.cerias.purdue.edu/tech-reps/823.pdf), which exploited the DEBUG vulnerability in Sendmail by executing the body of a mail as a shell script“

OpenSMTPD developers have already released a security patch to address the vulnerability, the OpenSMTPD version 6.6.2p1.

The CVE-2020-7247 flaw was introduced in the OpenSMTPD in May 2018, but many distros still use older implementation of the library that are not impacted.

The experts also released a proof of concept exploit code for the vulnerability.

Pierluigi Paganini

(SecurityAffairs – Linux, hacking)

Share On