An update released this week for the OpenSMTPD mail server addresses an out-of-bounds read vulnerability that could lead to arbitrary command execution.
OpenSMTPD is the open source implementation of the Simple Mail Transfer Protocol (SMTP) in OpenBSD, and its portable version can run on multiple Linux distributions, and Apple’s Mac OS X platform.
Tracked as CVE-2020-8794, the recently discovered issue was introduced in December 2015. The security flaw is remotely exploitable and can be abused to execute arbitrary shell commands. In versions released after May 2018, the commands are executed as root.
The issue resides in OpenSMTPD’s client-side code, which delivers mail to remote SMTP servers, and exploitation is possible either client-side, or server-side, explains security firm Qualys, which discovered the vulnerability.
Client-side exploitation is possible using OpenSMTPD’s default configuration. The mail server listens on localhost only, but it can deliver mail from local users to remote servers. In the event that the remote server is controlled by an attacker, the vulnerability can be exploited.
Server-side exploitation requires for the attacker to connect to the OpenSMTPD server and send an email that creates a bounce. When OpenSMTPD connects to the attacker’s mail server to deliver the bounce, the attacker exploits the client-side vulnerability. To achieve shell command execution, the attacker needs to crash OpenSMTPD and wait for it to be restarted.
Qualys came up with a simple exploit that was tested against OpenBSD 6.6, OpenBSD 5.9 (the first vulnerable release), Debian 10, Debian 11 (testing), and Fedora 31, but the company will not release further details on the vulnerability and an exploit until later this week.
“An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group,” OpenBSD’s developers note on GitHub.
A second vulnerability found in OpenSMTPD allows an unprivileged local attacker to read the first line of an arbitrary file (such as root’s password hash in /etc/master.passwd) or the entire contents of another user’s file (if this file and /var/spool/smtpd/ are on the same filesystem).
Tracked as CVE-2020-8793, the bug is generally not exploitable on Linux, “because /proc/sys/fs/protected_hardlinks is 1 by default on most distributions,” Qualys says. However, the flaw is exploitable on Fedora 31, and yields full root privileges.