março 18, 2020
On February 24, local time, researchers from Qualys released a remote code execution vulnerability (CVE-2020-8794) existing in OpenSMTPD.
As part of the OpenBSD part, OpenSMTPD (also known as OpenBSD’s mail server) is a free implementation of the server-side SMTP protocol as defined by RFC 5321.
CVE-2020-8794 is an out-of-bounds read vulnerability. Attackers could exploit this vulnerability to inject arbitrary commands into the envelope file that are then executed as root.
According to researchers, they developed a simple exploit for this vulnerability and successfully tested it against OpenBSD 6.6, OpenBSD 5.9, Debian 10 (stable), Debian 11 (testing), and Fedora 31.