Qualys security researchers have discovered two vulnerabilities in OpenBSD’s mail server OpenSMTPD. OpenBSD has provided patches for both vulnerabilities.
The first vulnerability is a local information disclosure vulnerability in OpenSMTPD (CVE-2020-8793). The second is an out-of-bounds read flaw (CVE-2020-8794) OpenSMTPD that could result in remote code execution.
“An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group,” OpenBSD stated in recent advisory on February 24.
OpenSMTP is the server-side SMTP protocol as defined by RFC 5321 and is part of the OpenBSD project.
Qualys described the information disclosure bug CVE-2020-8793 as “minor” and published a summary in the advisory:
“An unprivileged local attacker can read the first line of an arbitrary file (for example, root’s password hash in /etc/master.passwd) or the entire contents of another user’s file (if this file and /var/spool/smtpd/ are on the same filesystem).”
Qualys also developed a proof-of-concept and successfully tested it against OpenBSD 6.6. The company also added it can be exploited on Fedora (31) and “yields full root privileges.”
The second out-of-bands vulnerability CVE-2020-8794 has roots back to 2015, as noted in Qualys summary:
“We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, “when peer outputs a multi-line response …”), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, “switch smtpd to new grammar”); or as any non-root user, before May 2018.”
Qualys also added details on two attack scenarios that could exploit this vulnerability – server-side and client-side.
The OpenSMTPD 6.6.4 Security Advisories include patches for both of these vulnerabilities.