Overview
Qualys Research Labs found that the smtp_mailaddr() function in OpenSMTPD version 6.6 does not properly sanitize user input, which could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root.
Description
OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol (SMTP) that is part of the OpenBSD Project. OpenSMTPD's smtp_mailaddr() function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty, smtp_mailaddr() will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation. |
Impact
An attacker could send a malformed SMTP message that will bypass the smtp_mailaddr() validation and execute arbitrary code. This could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root. |
Solution
Apply an update OpenBSD has released a patch in OpenSMTPD version 6.6.2p1 to address this vulnerability. |
Vendor Information
Alpine Linux Affected
Notified: January 31, 2020 Updated: January 31, 2020
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
OpenSMTPD version 6.6.2p1-r0 has been implemented in the latest version of Alpine Linux.
Vendor References
Debian GNU/Linux Affected
Notified: January 31, 2020 Updated: February 03, 2020
Statement Date: January 31, 2020
Status
Affected
Vendor Statement
This affected Debian and has been adressed:https://www.debian.org/security/2020/dsa-4611
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
OpenBSD Affected
Updated: January 31, 2020
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
OpenBSD has released a patch in OpenSMTPD version 6.6.2p1 to address this vulnerability.
Vendor References
Ubuntu Affected
Updated: February 07, 2020
Status
Affected
Vendor Statement
CVE-2020-7247 has been patched in the following Ubuntu releases:
18.04 Bionic Beaver: OpenSMTPD 6.0.3p1-1ubuntu0.1
19.10 Eoan Ermine: OpenSMTPD 6.0.3p6-1ubuntu0.1
Please see USN-4268-1 (https://usn.ubuntu.com/4268-1/) for more details.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Apple Not Affected
Notified: January 31, 2020 Updated: March 09, 2020
Statement Date: March 06, 2020
Status
Not Affected
Vendor Statement
Our products are not impacted by this issue.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Arista Networks, Inc. Not Affected
Notified: January 31, 2020 Updated: February 03, 2020
Status
Not Affected
Vendor Statement
No products Arista Networks sells are affected by VU#390745 aka CVE-2020-7247. This is due to that library not being used nor included in any of the products.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CoreOS Not Affected
Notified: January 31, 2020 Updated: February 04, 2020
Statement Date: February 03, 2020
Status
Not Affected
Vendor Statement
Container Linux does not ship OpenSMTPD and so is not vulnerable.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
F5 Networks, Inc. Not Affected
Notified: January 31, 2020 Updated: February 03, 2020
Status
Not Affected
Vendor Statement
F5 Networks products are not affected as OpenSMTPD is not included. For products that are installed on a host OS (virtual edition, etc.) the presence of OpenSMTPD will depend on the host OS and not the F5 product. Customers are advised to check with the host OS vendor to determine if their platform is affected.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
FreeBSD Project Not Affected
Notified: January 31, 2020 Updated: February 04, 2020
Status
Not Affected
Vendor Statement
FreeBSD has never shipped with OpenSMTPD installed by default.
We do provide OpenSMTPD as part of our third-party package collection and users can also build the package from our ports tree. The port was updated on Wednesday 29th January at 02:55 UTC and the fix was merged to the 2020Q1 quarterly branch on Friday 31st January at 09:37 UTC.
Pre-built packages of the updated port have been available on our mirrors since Thursday 30th January 2020 at 14:16 UTC (head) and Sunday 2nd February 2020 at 01:10 UTC (quarterly).
Vendor Information
OpenSMTPD version 6.6.2p1-r0 has been implemented in the latest version of FreeBSD.
Vendor References
Illumos Not Affected
Notified: January 31, 2020 Updated: February 03, 2020
Status
Not Affected
Vendor Statement
None of the most popular illumos distributions (OpenIndiana, SmartOS, OmniOSce) ship with OpenSMTPD. A cursory survey of others indicates no OpenSMTPD either.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NetBSD Not Affected
Notified: January 31, 2020 Updated: February 03, 2020
Status
Not Affected
Vendor Statement
NetBSD is not vulnerable - we do not ship/have never shipped OpenSMTPD.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
QNX Software Systems Inc. Not Affected
Notified: January 31, 2020 Updated: February 05, 2020
Status
Not Affected
Vendor Statement
QNX is not vulnerable - OpenSMTPD has not shipped as part of our product.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SUSE Linux Not Affected
Notified: January 31, 2020 Updated: February 03, 2020
Statement Date: February 01, 2020
Status
Not Affected
Vendor Statement
Neither SUSE nor openSUSE do not include opensmtpd, so SUSE is not affected by this problem.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Synology Not Affected
Notified: January 31, 2020 Updated: February 03, 2020
Statement Date: February 03, 2020
Status
Not Affected
Vendor Statement
Synology does not employ OpenSMTPD for our products, including MailPlus [1] and Mail Station [2].
[1] https://www.synology.com/dsm/feature/mailplus
[2] https://www.synology.com/dsm/packages/MailStation
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Amazon Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Arch Linux Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Aspera Inc. Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Dell EMC Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
DesktopBSD Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
DragonFly BSD Project Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fedora Project Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Geexbox Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Gentoo Linux Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Google Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
HP Inc. Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
HardenedBSD Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hewlett Packard Enterprise Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hitachi Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Joyent Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Juniper Networks Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Lenovo Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Micro Focus Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NAS4Free Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NEC Corporation Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nexenta Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nokia Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Openwall GNU/*/Linux Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Oracle Corporation Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Red Hat, Inc. Unknown
Notified: January 31, 2020 Updated: February 03, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Slackware Linux Inc. Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sony Corporation Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Tizen Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
TrueOS Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Turbolinux Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ubuntu Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Unisys Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
m0n0wall Unknown
Notified: January 31, 2020 Updated: January 31, 2020
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 10 | E:ND/RL:ND/RC:ND |
| Environmental | 10.0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
- https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.2p1
- https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
- https://www.debian.org/security/2020/dsa-4611
- https://blog.qualys.com/laws-of-vulnerabilities/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247
- https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
- https://tools.ietf.org/html/rfc821
- https://www.opensmtpd.org/
- https://www.openbsd.org/
Acknowledgements
Thanks to Qualys Research Labs for reporting this vulnerability.
This document was written by Madison Oliver.
Other Information
| CVE IDs: | CVE-2020-7247 |
| Date Public: | 2020-01-28 |
| Date First Published: | 2020-01-31 |
| Date Last Updated: | 2020-03-09 14:40 UTC |
| Document Revision: | 51 |