Security News > 2020 > February > A new RCE in OpenSMTPD’s default install, patch available

Less than a month after the patching of a critical RCE flaw in OpenSMTPD, OpenBSD's mail server, comes another call to upgrade to the latest version, as two additional security holes have been plugged.

CVE-2020-8794 is an out-of-bounds read flaw introduced in December 2015 and can - depending on the vulnerable OpenSMTPD version - lead to the execution of arbitrary shell commands either as root or as any non-root user.

"Client-side exploitation: This vulnerability is remotely exploitable in OpenSMTPD's default configuration. Although OpenSMTPD listens on localhost only, by default, it does accept mail from local users and delivers it to remote servers. If such a remote server is controlled by an attacker, then the attacker can execute arbitrary shell commands on the vulnerable OpenSMTPD installation," the researchers explained.

For server-side exploitation, the attacker must first connect to the OpenSMTPD server and send a mail that creates a bounce.

"Next, when OpenSMTPD connects back to their mail server to deliver this bounce, the attacker can exploit OpenSMTPD's client-side vulnerability. Last, for their shell commands to be executed, the attacker must crash OpenSMTPD and wait until it is restarted," they concluded.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/IzsSzGMOKnc/