CVE-2020-7247: OpenSMTPD Library Remote Command Execution Vulnerability Alert

Recently, OpenSMTPD 6.6.2p1 released to addresses a security vulnerability. The vulnerability number is CVE-2020-7247. This flaw is caused by OpenSMTPD’s inadequate sender/recipient verification during the implementation of RFC 5321.

OpenSMTPD is an smtp server program for Unix operating systems (BSD, MacOS, GNU / Linux), and follows the RFC 5321 SMTP protocol.

OpenSMTPD was originally developed for the OpenBSD operating system. Due to its open-source nature, it was distributed to other Unix platforms.

OpenSMTPD is part of the OpenBSD project. Under the ISC license, the software is free for everyone to use and reuse.

We judge that the vulnerability level is medium-risk and has limited impact. Experts said that:

“Nevertheless, our ability to execute arbitrary shell commands through the local part of the sender address is rather limited:

  • although OpenSMTPD is less restrictive than RFC 5321, the maximum length of a local part should be 64 characters;
  • the characters in MAILADDR_ESCAPE (for example, ‘$’ and ‘|’) are transformed into ‘:’ characters. To overcome these limitations, we drew inspiration from the Morris worm (https://spaf.cerias.purdue.edu/tech-reps/823.pdf), which exploited the DEBUG vulnerability in Sendmail by executing the body of a mail as a shell script

However, it will be attacked due to the default configuration. To prevent this vulnerability, we should ask service management/operation and maintenance personnel to do a good job of self-inspection and self-inspection in a timely manner.