A vulnerability in OpenBSD’s OpenSMTPD 6.6 mail server has been discovered, that allows an attacker to execute arbitrary shell commands with elevated privileges. The critical vulnerability (CVE-2020-7247) in the OpenSMTBD email server allows remote attackers to take complete control over BSD and Linux-based servers.
As of this writing, the network search engine Shodan lists thousands of OpenSMTPD systems exposed to the internet.
The vulnerability is initially exploited by injecting commands into the FROM email address. For example, replacing “[email protected]” with the shell command “;sleep 60;” would trigger the mail system to sleep for 60 seconds. While there are some limitations with this vulnerability, it gives attackers enough leverage to trigger a debug mode in OpenSMTPD, which then removes all of those restrictions and allows any system command written in an email to be executed remotely.
OpenBSD developers have confirmed the vulnerability and also quickly provided a patch. While administrators need to apply the patches to remediate the vulnerability, any affected systems need to be audited for evidence of intrusion due to the extreme simplicity of exploitation.
Those with sysadmins running servers that have the vulnerable version of the email software need to apply this patch as soon as possible.