News

Researchers find remote code execution bug in OpenSMTPD implementation

By admin
Spread the love

Security researchers have discovered a vulnerability in the OpenSMTPD email implementation. This makes it possible to remotely execute root commands in the underlying operating system. OpenSMTPD runs on many Linux distributions.

The leak was discovered by researchers from security firm Qualys. The vulnerability is rated “severe” in the code CVE-2020-8794. The flaw is in the default configuration of OpenSMTPD, which is included in many server-based Unix systems such as FreeBSD and Fedora. The leak can be exploited by sending an email with a bounce. The way the mta_io() function is then parsed can be exploited to run code remotely on a server.

There are two ways to run the vulnerability. This can be done client side remotely because OpenSMTPD sends mail from local users to remote servers. An attacker who has control over such a server can therefore execute shell commands on the system. There can also be a server-side attack by crashing OpenSMTPD and restarting.

For OpenBSD versions after May 2018, it is possible to run the shell commands with root access. For older versions, normal shell commands can be executed. A patch is now available for the vulnerability. The researchers say they have made a proof-of-concept. They won’t release it until Wednesday to give system administrators a chance to update their systems.

You might also like
News

EU Council determines position on security requirements for digital products

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Anticheat FaceIT gets Linux version, enables Steam Deck support

News

Sony and Microsoft sign agreement to keep Call of Duty on PlayStation

News

AMD: Intel’s proposal for 64bit-only x86 architecture is very interesting

News

Valve releases major Team Fortress 2 update with community maps and new taunts