News

Two new critical vulnerabilities found in OpenSMTPD… again

Security flaws in software developments appear constantly, and sometimes developers find new reports barely after correcting previous flaws. According to digital forensics specialists, just a few weeks after a critical vulnerability was fixed in OpenSMTPD, the OpenBSD email server, a new report emerged about two additional flaws.

This is a medium severity local information
disclosure flaw that could be exploited remotely to execute arbitrary commands
on the vulnerable device, mention the researchers of security firm Qualys, in
charge of the report.

In first place, tracked as CVE-2020-8793, this is a reduced severity flaw whose exploit would
allow an unprivileged local threat actor to read the first line of an arbitrary
file or the entire contents of another user’s file. Researchers in digital
forensics also developed a proof-of-concept, which proved to be functional in
the latest versions of OpenBSD and Fedora.

Moreover, CVE-2020-8794
is an out-of-bounds read vulnerability introduced in December 2015 and can lead
to the execution of arbitrary shell commands as a root user or like any other
user, depending on the vulnerable version of OpenSMTPD. Because it resides in
the OpenSMTPD client-side code, it is possible to trigger two different attack
scenarios:

  • Client-side
    exploit: It is possible to exploit this flaw remotely in the default OpenSMTPD
    settings by running arbitrary shell commands in the vulnerable installation
  • Server-side
    exploit: An attacker connected to the OpenSMTPD server can exploit the
    vulnerability to execute shell commands, block the service, and wait for it to
    be restarted by the administrator or restart automatically

The two vulnerabilities have already been
fixed, so exposed deployment managers are advised to patch as soon as possible.
International
Institute of Cyber Security (IICS)
digital forensics specialists
mention that the previously reported remote
code execution
flaw was exploited the wild following public disclosure
of the flaw. This time, to prevent any risk, proof of concept will be revealed
once the industry considers that the risk of active exploitation ends.

You Might Also Like