OpenSMTPD, an open-source implementation for the server-side SMTP protocol, initially developed as part of OpenBSD project but now pre-installed on several UNIX-based systems, reportedly have a critical vulnerability.
The vulnerability marked (CVE-2020-7247) as disclosed by Qualys Research Labs, resides in the function of OpenSMTPD's sender address validation, called smtp_mailaddr(), which is exploitable to execute arbitrary shell commands with elevated root-privileges on a vulnerable server just by simply sending specially crafted SMTP messages.
It affects OpenBSD version 6.6 with the default configuration for the locally enabled interface, and remotely, when the daemon is enabled to listen on interfaces and accepts external mail.
Details of the OpenBSD OpenSMTPD Remote Code Execution Vulnerability
The vulnerability resides in OpenBSD’s mail server OpenSMTPD’s “smtp_mailaddr()” function, affecting OpenBSD version 6.6. and allows an attacker to execute arbitrary shell commands as root user.
While there are some limitations in the exploitation of the vulnerability in terms of local part length (maximum of 64 characters) and characters (“$”, “|”) to be escaped, the security researchers overcome these limitations using a technique from the Morris Worm by executing the body of the mail as a shell script in Sendmail.
Qualys had responsibly reported the flaw to OpenSMTPD developers; for more technical details on this vulnerability, see the security advisory page.
OpenSMTPD version 6.6.2p1 released to Fix the Critical Bug
OpenSMTPD developers has released OpenSMTPD version 6.6.2p1 with a patch for the Remote Code Execution Vulnerability, and also pushed out the update for all OpenBSD users.
IT and Sysadmins running servers with a vulnerable version of the OpenBSD software are advised to update to the new release, OpenSMTPD version 6.6.2p1 to apply the patch. Also, all OpenBSD vulnerabilities in your environment can be tracked with the OpenBSD Vulnerabilities Dashboard that leverages data in Qualys Vulnerability Management subscription.
All patches for the OpenBSD base system are distributed as unified diffs, with each patch cryptographically signed with the signify(1) tool and contains usage instructions. And the patches for supported releases are incorporated into the -stable branch, which is maintained for one year after release.