(Way Too) OpenSMTPD: An overview of CVE-2020-7247
OpenSMTPD is an open-source project started and mainly developed by the OpenBSD team. It implements the SMTP (simple mail transfer protocol), giving you the ability to either exchange mails on the same host or relay them to another mail server. It is also available in a portable form to be used on various Unix-like systems (including MacOS) and actively maintained.
A remote command injection vulnerability was recently discovered in OpenSMTPD, introduced by a commit made in May 2018. The issue is the lack of user input sanitization when processing either MAIL FROM or RCPT TO commands and it affects all the versions before release 6.6.2. Moreover, the exploitation does not require any form of authentication and it completely compromises the machine hosting the MTA, since by default the daemon runs with elevated privileges.
Trying to gauge the impact of CVE-2020-7247, Shodan and Censys searches reveal between 2,500 and 3,600 potentially vulnerable devices online, a couple of them being owned by large web services providers such as Digital Ocean and OVH.
The exploit first checks for the SMTP server’s banner. If it can identify it as an OpenSMTPD instance, it proceeds with the messages required to send a mail. The exploit won’t succeed if the full sequence of HELO, MAIL FROM:, RCPT TO:, DATA, and QUIT messages is not completed. The malicious payload is inserted in the MAIL FROM: command and it is limited to 64 characters by the daemon’s implementation, a limitation that the attacker can overcome by providing the extra payload in the body of the mail and giving it as a parameter in one of the vulnerable types of messages mentioned above. Variants of this attack include the malicious payload in the RCPT TO: command as well.
As a result, a detection device should look for specific characters ( ‘(’, ‘)’, ‘<’, ‘>’ ‘,’ ‘;’) in the MAIL FROM or RCPT TO commands. Any message containing this kind of traffic pattern should be considered suspicious.
- [May 2018] Vulnerability introduced in May 2018
- Qualys finds the vulnerability and informs the OpenBSD team
- [28th Jan 2020] The development team develops a patch and creates a new release that fixes the issue
- [29th Jan 2020] An article was published on the Full Disclosure Mailing List, describing the issue and detailing the means of exploitation
- Full exploit quickly follows the next day, published on ExploitDB
We have developed a strike for CVE-2020-7247 that is available starting with the latest BreakingPoint ATI Strikepack.
LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS
The Ixia's Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of our BreakingPoint product have access to strikes for different MTA vulnerabilities, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.