A vulnerability inside a core email-related library used by many BSD and Linux distributions has been discovered by security researchers.
Vulnerability CVE-2020-7247, affects OpenSMTPD, OpenBSD’s mail server. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in an email from the field. This impacts the “uncommented” default configuration. CVE-2020-7247 is exploitable since May 2018.
OpenSMTPD which is a part of the OpenBSD Project, allows ordinary machines to exchange emails with other systems speaking the SMTP protocol. The vulnerability contains local privilege escalation and remote code execution flaws. They can run code remotely on a server that uses the OpenSMTPD client.
A patch has released
OpenSMTPD developers have confirmed the vulnerability and they have released a patch. This is defined as a critical security bugfix release. Qualys, who found the vulnerability advised users to fix possible privilege escalation. According to the announcement, they developed a simple proof of concept and successfully tested it against OpenBSD 6.6 and Debian testing (Bullseye); other versions and distributions may be exploitable.
Technical details and proof of concept can be read on the Qualys CVE-2020-7247 security advisory.