A critical vulnerability has been discovered in the OpenBSD email server OpenSMTPD. Exploiting the flaw could allow remote code execution attacks. The seriousness of the vulnerability poses a threat to the integrity of OpenBSD and Linux systems.
Researchers from Qualys have discovered a serious vulnerability in the OpenSMTPD email server. As elaborated in their advisory, the vulnerability, CVE-2020-8794, could allow a remote attacker to execute code on the target system.
Describing the vulnerability, the advisory reads,
In brief, the flaw exists on the client-side code that is responsible for delivering emails. Hence, the bug could allow exploitation in two different scenarios: the client-side in the default configuration, or the server-side where the attacker should send an email that creates a bounce. Then, reconnecting again with the server in an attempt to deliver the bounce would let the attacker exploit the client-side vulnerability.