Critical RCE flaw in OpenSMTPD, patch available

Qualys researchers have discovered a critical vulnerability (CVE-2020-7247) in OpenBSD’s OpenSMTPD mail server, which can allow attackers to execute arbitrary shell commands on the underlying system as root.


“We developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release) and Debian testing (Bullseye); other versions and distributions may be exploitable,” they noted in the accompanying security advisory.

What is OpenSMTPD?

OpenSMTPD is an open source implementation of the Simple Mail Transfer Protocol. It is developed as part of the OpenBSD project.

Its portable version can run on many other operating systems, such as FreeBSD, NetBSD, DragonFlyBSD, Mac OS X, and various Linux distributions. OpenSMTPD has also been incorporated in some of them.

About CVE-2020-7247

CVE-2020-7247 has been found in OpenSMTPD’s smtp_mailaddr() function, which is responsible for validating sender and recipient mail addresses.

The vulnerability can be exploited by sending to a vulnerable server a specially crafted SMTP message.

Qualys researchers were able to overcome certain exploitation limitations by using a technique from the Morris Worm, one of the first computer worms distributed via the Internet, to make sure the body of the email they sent is executed as a shell script.

“This vulnerability is exploitable since May 2018 and allows an attacker to execute arbitrary shell commands as root: either locally, in OpenSMTPD’s default configuration (which listens on the loopback interface and only accepts mail from localhost); or locally and remotely, in OpenSMTPD’s ‘uncommented’ default configuration (which listens on all interfaces and accepts external mail),” the researchers explained.

Patch available

The flaw has been responsibly disclosed to OpenSMTPD developers, who have released a patch for OpenBSD. A portable versions of the implementation (OpenSMTPD 6.6.2p1) has also been made available.

They did not say which versions of OpenSMTPD are affected, but promised to provide more details about the flaw “when things settle down”.

Hopefully the fix will be propagated into affected OS distributions soon, as the bug is being already debated online and Qualys’s advisory is pretty on point.

UPDATE (February 4, 2020, 1:10 a.m. PT):

More information about which OS distributions are affected, which are not, and links to patches are available here.

Don't miss