Qualys Research Labs found that the smtp_mailaddr() function in OpenSMTPD version 6.6 does not properly sanitize user input, which could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root.
OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol (SMTP) that is part of the OpenBSD Project. OpenSMTPD's smtp_mailaddr() function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty, smtp_mailaddr() will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation.
An attacker could send a malformed SMTP message that will bypass the smtp_mailaddr() validation and execute arbitrary code. This could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root.
Apply an update
OpenBSD has released a patch in OpenSMTPD version 6.6.2p1 to address this vulnerability.
Thanks to Qualys Research Labs for reporting this vulnerability.
This document was written by Madison Oliver.
|Date First Published:||2020-01-31|
|Date Last Updated:||2020-03-09 14:40 UTC|