• Status Closed
  • Percent Complete
  • Task Type Security Issue
  • Category Any
  • Assigned To
    Jesús E.
  • Operating System All
  • Severity Critical
  • Priority Very Low
  • Reported Version Milky Way v0.3
  • Due in Version Milky Way v0.4
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Packages
Opened by bugmen0t - 25/02/2020
Last edited by Jesús E. - 26/10/2021

FS#1508 - [opensmtpd] CVE-2020-8794


Qualys Security Advisory

LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)




We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This
vulnerability, an out-of-bounds read introduced in December 2015 (commit
80c6a60c, “when peer outputs a multi-line response ...”), is exploitable
remotely and leads to the execution of arbitrary shell commands: either
as root, after May 2018 (commit a8e22235, “switch smtpd to new
grammar”); or as any non-root user, before May 2018.

Because this vulnerability resides in OpenSMTPD’s client-side code
(which delivers mail to remote SMTP servers), we must consider two
different scenarios:

- Client-side exploitation: This vulnerability is remotely exploitable

in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.

- Server-side exploitation: First, the attacker must connect to the

OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).

We developed a simple exploit for this vulnerability and successfully
tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the
first vulnerable release), Debian 10 (stable), Debian 11 (testing), and
Fedora 31.

The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing “AS SOON AS POSSIBLE.”

Closed by  Jesús E.
26.10.2021 20:07
Reason for closing:  Fixed
Additional comments about closing: es/extra.git/commit/opensmtpd?id=a1cd108 d6b8fbd37d345ddbb751ff2358ccf5303

Date User Effort (H:M)


Available keyboard shortcuts


Task Details

Task Editing