Security News > 2020 > February > New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers
OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems.
OpenSMTPD, also known as OpenBSD SMTP Server, is an open-source implementation of the Simple Mail Transfer Protocol to deliver messages on a local machine or to relay them to other SMTP servers.
Discovered by experts at Qualys Research Labs, who also reported a similar RCE flaw in the email server application last month, the latest out-of-bounds read issue, tracked as CVE-2020-8794, resides in a component of the OpenSMTPD's client-side code that was introduced nearly 5 years ago.
Just like the previous issue, which attackers started exploiting in the wild just a day after its public disclosure, the new OpenSMTPD flaw could also let remote hackers execute arbitrary commands on the vulnerable servers with privileges of either root or any non-root user.
If you're also running BSD or Linux servers with a vulnerable version of the OpenSMTPD, you're advised to download OpenSMTPD 6.6.4p1 and apply the patch as soon as possible.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/8tEfipX6tLI/opensmtpd-email-vulnerability.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-02-25 | CVE-2020-8794 | Out-of-bounds Read vulnerability in multiple products OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. | 9.8 |