Security News > 2020 > February > New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers

New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers
2020-02-25 02:54

OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems.

OpenSMTPD, also known as OpenBSD SMTP Server, is an open-source implementation of the Simple Mail Transfer Protocol to deliver messages on a local machine or to relay them to other SMTP servers.

Discovered by experts at Qualys Research Labs, who also reported a similar RCE flaw in the email server application last month, the latest out-of-bounds read issue, tracked as CVE-2020-8794, resides in a component of the OpenSMTPD's client-side code that was introduced nearly 5 years ago.

Just like the previous issue, which attackers started exploiting in the wild just a day after its public disclosure, the new OpenSMTPD flaw could also let remote hackers execute arbitrary commands on the vulnerable servers with privileges of either root or any non-root user.

If you're also running BSD or Linux servers with a vulnerable version of the OpenSMTPD, you're advised to download OpenSMTPD 6.6.4p1 and apply the patch as soon as possible.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/8tEfipX6tLI/opensmtpd-email-vulnerability.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-02-25 CVE-2020-8794 Out-of-bounds Read vulnerability in multiple products
OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies.
network
low complexity
opensmtpd canonical fedoraproject debian CWE-125
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232
Openbsd 5 1 36 38 15 90