OpenSMTPD (CVE-2020-7247) – How did it happen? 24th Feb 2020

Preface: OPENSMTPD – plagued by numerous vulnerabilities. Most recently – CVE-2020-8794

Details: Qualys has found another critical vulnerability in OpenSMTPD.In normal circumstance, the adjacent side connects to the SMTP server and sends commands such as EHLO, MAIL FROM, RCPT TO. The SMTP server responds with a single or multiple lines of response: The client-side exploitation of this vulnerability is straightforward; wait until OpenSMTPD connects to mail server and respond with a multiline reply (a permanent error) that creates a bounce and injects the following lines into its envelope:

type: mda
mda-exec: our arbitrary shell command
dispatcher: local_mail
mda-user: root

If the “mbox” method is used for local delivery (the default in OpenBSD -current), then arbitrary command execution as root is still possible; otherwise (if the “maildir” method is used, for example), arbitrary command execution as any non-root user is possible.

Remedy: Official announcement –