RCE in OpenSMTPD library impacts BSD and Linux distros
Security researchers have discovered a vulnerability inside a core email-related library used by many BSD and Linux distributions.
The vulnerability, tracked as CVE-2020-7247, impacts OpenSMTPD, an open-source implementation of the server-side SMTP protocol.
The library is normally included with distros that are designed to operate on servers, allowing the server to handle SMTP-related email messages and traffic.
The OpenSMTPD library was initially developed for the OpenBSD operating system, but the library was open-sourced, and its "portable version" has also been incorporated into other OSes, such as FreeBSD, NetBSD, and some Linux distros, such as Debian, Fedora, Alpine Linux, and more.
I just pushed patched #OpenSMTPD to #AlpineLinux edge and v3.11. Packages should be available on mirrors in few minutes. If you're running OpenSMTPD 6.6.1p1, upgrade immediately! https://t.co/sUaEuDFBXm
— Jakub Jirutka (@JakubJirutka) January 29, 2020
Vulnerability lets remote attackers run code as root
At the technical level, the vulnerability is a "local privilege escalation" and "remote code execution" flaw that can be abused to run code remotely on a server that uses the OpenSMTPD client.
To exploit this issue, an attacker must craft and send malformed SMTP messages to a vulnerable server. The attacker's code is executed with root privileges, according to researchers from Qualys, the ones who discovered the vulnerability.
"Exploitation of the vulnerability had some limitations in terms of local part length (max 64 characters is allowed) and characters to be escaped ($, |)," Animesh Jain, Product Manager for Vulnerability Signatures at Qualys, told ZDNet in an email.
"Qualys researchers were able to overcome these limitations using a technique from the Morris Worm (one of the first computer worms distributed via the Internet, and the first to gain significant mainstream media attention) by executing the body of the mail as a shell script in Sendmail," Jain said.
A patch is available
OpenSMTPD developers have confirmed the vulnerability and have released a patch earlier today -- OpenSMTPD version 6.6.2p1.
System administrators who have configured their BSD and Linux servers to use the OpenSMTPD client are advised to apply the patch as soon as possible.
The good news is that the bug was introduced in the OpenSMTPD code in May 2018 and that many distros may still use older library versions, not affected by this issue. For example, only in-dev Debian releases are affected by this issue, but not Debian stable branches, which ship with older OpenSMTPD versions.
Technical details and proof of concept exploit code are available in the Qualys CVE-2020-7247 security advisory.