{"vuid":"VU#390745","idnumber":"390745","name":"OpenSMTPD vulnerable to local privilege escalation and remote code execution","keywords":["OpenBSD","RCE","LPE","smtp"],"overview":"Qualys Research Labs found that the smtp_mailaddr() function in OpenSMTPD version 6.6 does not properly sanitize user input, which could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root.","clean_desc":"OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol(SMTP)that is part of the OpenBSD Project. OpenSMTPD's smtp_mailaddr()function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty,smtp_mailaddr()will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation.","impact":"An attacker could send a malformed SMTP message that will bypass the smtp_mailaddr() validation and execute arbitrary code. This could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root.","resolution":"Apply an update OpenBSD has released a patch in OpenSMTPD version 6.6.2p1 to address this vulnerability.","workarounds":"","sysaffected":"","thanks":"Thanks to Qualys Research Labs for reporting this vulnerability.","author":"This document was written by Madison Oliver.","public":["https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt","https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.2p1","https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45","https://www.debian.org/security/2020/dsa-4611","https://blog.qualys.com/laws-of-vulnerabilities/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247","https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/","https://tools.ietf.org/html/rfc821","https://www.opensmtpd.org/","https://www.openbsd.org/"],"cveids":["CVE-2020-7247"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2020-01-31T20:02:45Z","publicdate":"2020-01-28T00:00:00Z","datefirstpublished":"2020-01-31T21:32:46Z","dateupdated":"2020-03-09T14:40:16Z","revision":51,"vrda_d1_directreport":"0","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"ND","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"10","cvss_environmentalscore":"9.99449472","cvss_environmentalvector":"CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}