==================================================================== CERT-Renater Note d'Information No. 2020/VULN063 _____________________________________________________________________ DATE : 04/02/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running OpenSMTPD versions prior to 6.6.2p1. ===================================================================== https://marc.info/?l=openbsd-announce&m=158025067728747&w=2 https://kb.cert.org/vuls/id/390745/ _____________________________________________________________________ Errata patches for OpenSMTPD have been released for OpenBSD 6.5 and 6.6. An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user. Binary updates for the amd64, i386, and arm64 platforms are available via the syspatch utility. Source code patches can be found on the respective errata page: https://www.openbsd.org/errata65.html https://www.openbsd.org/errata66.html After patching, restart the smtpd service. _____________________________________________________________________ OpenSMTPD vulnerable to local privilege escalation and remote code execution Vulnerability Note VU#390745 Original Release Date: 2020-01-31 | Last Revised: 2020-02-04 Overview Qualys Research Labs found that the smtp_mailaddr() function in OpenSMTPD version 6.6 does not properly sanitize user input, which could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root. Description OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol (SMTP) that is part of the OpenBSD Project. OpenSMTPD's smtp_mailaddr() function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty, smtp_mailaddr() will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation. Impact An attacker could send a malformed SMTP message that will bypass the smtp_mailaddr() validation and execute arbitrary code. This could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root. Solution Apply an update OpenBSD has released a patch in OpenSMTPD version 6.6.2p1 to address this vulnerability. Vendor Information Vendor has issued information Alpine Linux Notified: January 31, 2020 Updated: January 31, 2020 Status Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information OpenSMTPD version 6.6.2p1-r0 has been implemented in the latest version of Alpine Linux. Vendor References https://pkgs.alpinelinux.org/package/edge/main/x86/opensmtpd https://git.alpinelinux.org/aports/commit/?id=1fb1ca20db29801322c38673b84cdbc38ce09647 Debian GNU/Linux Notified: January 31, 2020 Updated: February 03, 2020 Statement Date: January 31, 2020 Status Affected Vendor Statement This affected Debian and has been adressed: https://www.debian.org/security/2020/dsa-4611 Vendor Information We are not aware of further vendor information regarding this vulnerability. Vendor References https://www.debian.org/security/2020/dsa-4611 FreeBSD Project Notified: January 31, 2020 Updated: January 31, 2020 Status Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information OpenSMTPD version 6.6.2p1-r0 has been implemented in the latest version of FreeBSD. Vendor References https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243686 OpenBSD Updated: January 31, 2020 Status Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information OpenBSD has released a patch in OpenSMTPD version 6.6.2p1 to address this vulnerability. Vendor References https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.2p1 https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45 https://www.openbsd.org/security.html Ubuntu Updated: January 31, 2020 Status Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information We are not aware of further vendor information regarding this vulnerability. Arista Networks, Inc. Notified: January 31, 2020 Updated: February 03, 2020 Status Not Affected Vendor Statement No products Arista Networks sells are affected by VU#390745 aka CVE-2020-7247. This is due to that library not being used nor included in any of the products. Vendor Information We are not aware of further vendor information regarding this vulnerability. CoreOS Notified: January 31, 2020 Updated: February 04, 2020 Statement Date: February 03, 2020 Status Not Affected Vendor Statement Container Linux does not ship OpenSMTPD and so is not vulnerable. Vendor Information We are not aware of further vendor information regarding this vulnerability. F5 Networks, Inc. Notified: January 31, 2020 Updated: February 03, 2020 Status Not Affected Vendor Statement F5 Networks products are not affected as OpenSMTPD is not included. For products that are installed on a host OS (virtual edition, etc.) the presence of OpenSMTPD will depend on the host OS and not the F5 product. Customers are advised to check with the host OS vendor to determine if their platform is affected. Vendor Information We are not aware of further vendor information regarding this vulnerability. Illumos Notified: January 31, 2020 Updated: February 03, 2020 Status Not Affected Vendor Statement None of the most popular illumos distributions (OpenIndiana, SmartOS, OmniOSce) ship with OpenSMTPD. A cursory survey of others indicates no OpenSMTPD either. Vendor Information We are not aware of further vendor information regarding this vulnerability. NetBSD Notified: January 31, 2020 Updated: February 03, 2020 Status Not Affected Vendor Statement NetBSD is not vulnerable - we do not ship/have never shipped OpenSMTPD. Vendor Information We are not aware of further vendor information regarding this vulnerability. CVSS Metrics Group Score Vector Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal 10 E:ND/RL:ND/RC:ND Environmental 10.0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND References https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.2p1 https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45 https://www.debian.org/security/2020/dsa-4611 https://blog.qualys.com/laws-of-vulnerabilities/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247 https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ https://tools.ietf.org/html/rfc821 https://www.opensmtpd.org/ https://www.openbsd.org/ Acknowledgements Thanks to Qualys Research Labs for reporting this vulnerability. This document was written by Madison Oliver. Other Information CVE IDs: CVE-2020-7247 Date Public: 2020-01-28 Date First Published: 2020-01-31 Date Last Updated: 2020-02-04 13:38 UTC Document Revision: 44 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================