Vulnerability Details : CVE-2020-7247
Public exploit exists!
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
Products affected by CVE-2020-7247
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:opensmtpd:6.6:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
CVE-2020-7247 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
OpenSMTPD Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2020-7247
Added on
2022-03-25
Action due date
2022-04-15
Exploit prediction scoring system (EPSS) score for CVE-2020-7247
97.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2020-7247
-
OpenSMTPD MAIL FROM Remote Code Execution
Disclosure Date: 2020-01-28First seen: 2020-04-26exploit/unix/smtp/opensmtpd_mail_from_rceThis module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute a command as the root user. Authors: - Qualys - wvu <wvu@metasploit.com> - RageLtMan <rageltman@sempervictus>
CVSS scores for CVE-2020-7247
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-04 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-7247
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product does not handle or incorrectly handles an exceptional condition.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2020-7247
-
https://usn.ubuntu.com/4268-1/
USN-4268-1: OpenSMTPD vulnerability | Ubuntu security noticesThird Party Advisory
-
http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html
OpenSMTPD MAIL FROM Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html
OpenSMTPD 6.6.2 Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
Fix a security vulnerability discovered by Qualys which can lead to a · openbsd/src@9dcfda0 · GitHubPatch
-
https://seclists.org/bugtraq/2020/Jan/51
Bugtraq: [SECURITY] [DSA 4611-1] opensmtpd security updateMailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html
OpenBSD OpenSMTPD Privilege Escalation / Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/
[SECURITY] Fedora 32 Update: opensmtpd-6.6.4p1-2.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.kb.cert.org/vuls/id/390745
VU#390745 - OpenSMTPD vulnerable to local privilege escalation and remote code executionThird Party Advisory;US Government Resource
-
https://www.openbsd.org/security.html
OpenBSD: SecurityPatch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2020/01/28/3
oss-security - LPE and RCE in OpenSMTPD (CVE-2020-7247)Exploit;Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/
[SECURITY] Fedora 32 Update: opensmtpd-6.6.4p1-2.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html
OpenSMTPD 6.6.1 Local Privilege Escalation ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://www.debian.org/security/2020/dsa-4611
Debian -- Security Information -- DSA-4611-1 opensmtpdMailing List;Third Party Advisory
-
http://seclists.org/fulldisclosure/2020/Jan/49
Full Disclosure: LPE and RCE in OpenSMTPD (CVE-2020-7247)Exploit;Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html
OpenBSD OpenSMTPD 6.6 Remote Code Execution ≈ Packet StormBroken Link;Third Party Advisory;VDB Entry
Jump to