A new RCE in OpenSMTPD’s default install, patch available

Less than a month after the patching of a critical RCE flaw in OpenSMTPD, OpenBSD’s mail server, comes another call to upgrade to the latest version, as two additional security holes have been plugged.

Discovered by Qualys researchers, one is a less severe local information disclosure bug, but the other – once again – could be exploited remotely to execute of arbitrary shell commands on a vulnerable machine.

The vulnerabilities

CVE-2020-8793 is a minor vulnerability that could allow an unprivileged local attacker to read the first line of an arbitrary file or the entire contents of another user’s file.

The researchers have developed a proof of concept and successfully tested it against the latest OpenBSD and Fedora versions (v6.6 and v31, respectively).

CVE-2020-8794 is an out-of-bounds read flaw introduced in December 2015 and can – depending on the vulnerable OpenSMTPD version – lead to the execution of arbitrary shell commands either as root or as any non-root user.

Because it resides in OpenSMTPD’s client-side code, which delivers mail to remote SMTP servers, two different exploitation scenarios are possible.

“Client-side exploitation: This vulnerability is remotely exploitable in OpenSMTPD’s (and hence OpenBSD’s) default configuration. Although OpenSMTPD listens on localhost only, by default, it does accept mail from local users and delivers it to remote servers. If such a remote server is controlled by an attacker (either because it is malicious or compromised, or because of a man-in-the-middle, DNS, or BGP attack — SMTP is not TLS-encrypted by default), then the attacker can execute arbitrary shell commands on the vulnerable OpenSMTPD installation,” the researchers explained.

For server-side exploitation, the attacker must first connect to the OpenSMTPD server (which accepts external mail) and send a mail that creates a bounce.

“Next, when OpenSMTPD connects back to their mail server to deliver this bounce, the attacker can exploit OpenSMTPD’s client-side vulnerability. Last, for their shell commands to be executed, the attacker must (to the best of our knowledge) crash OpenSMTPD and wait until it is restarted (either manually by an administrator, or automatically by a system update or reboot),” they concluded.

Patch ASAP

Both vulnerabilities have been patched in OpenBSD, as well as OpenSMTPD’s latest portable version (6.6.4p1) and users are advised to upgrade as soon as possible.

The similar RCE plugged in January ended up being exploited in attacks in the wild a few days after its existence was publicly revealed.

Qualys researchers have developed proof of concept exploit code for CVE-2020-8794 and tested it against OpenBSD 6.6, OpenBSD 5.9, Debian 10, Debian 11 and Fedora 31, but have decided not to release it publicly quite yet – to give users time to patch.