Two new critical vulnerabilities found in OpenSMTPD… again

Security flaws in software developments appear constantly, and sometimes developers find new reports barely after correcting previous flaws. According to digital forensics specialists, just a few weeks after a critical vulnerability was fixed in OpenSMTPD, the OpenBSD email server, a new report emerged about two additional flaws.

This is a medium severity local information disclosure flaw that could be exploited remotely to execute arbitrary commands on the vulnerable device, mention the researchers of security firm Qualys, in charge of the report.

In first place, tracked as CVE-2020-8793, this is a reduced severity flaw whose exploit would allow an unprivileged local threat actor to read the first line of an arbitrary file or the entire contents of another user’s file. Researchers in digital forensics also developed a proof-of-concept, which proved to be functional in the latest versions of OpenBSD and Fedora.

Moreover, CVE-2020-8794 is an out-of-bounds read vulnerability introduced in December 2015 and can lead to the execution of arbitrary shell commands as a root user or like any other user, depending on the vulnerable version of OpenSMTPD. Because it resides in the OpenSMTPD client-side code, it is possible to trigger two different attack scenarios:

  • Client-side exploit: It is possible to exploit this flaw remotely in the default OpenSMTPD settings by running arbitrary shell commands in the vulnerable installation
  • Server-side exploit: An attacker connected to the OpenSMTPD server can exploit the vulnerability to execute shell commands, block the service, and wait for it to be restarted by the administrator or restart automatically

The two vulnerabilities have already been fixed, so exposed deployment managers are advised to patch as soon as possible. International Institute of Cyber Security (IICS) digital forensics specialists mention that the previously reported remote code execution flaw was exploited the wild following public disclosure of the flaw. This time, to prevent any risk, proof of concept will be revealed once the industry considers that the risk of active exploitation ends.