cbcvebase.
CVE-2020-7247
published 2020-01-29

CVE-2020-7247: smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
98.97%
99.9th percentile
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Affected

13 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianopensmtpd< opensmtpd 6.6.2p1-1 (bookworm)opensmtpd 6.6.2p1-1 (bookworm)
fedoraprojectfedora
openbsdopensmtpd
opensmtpdopensmtpd>= 0 < 6.6.2p1-16.6.2p1-1
opensmtpdopensmtpd>= 0 < 6.6.2p1-16.6.2p1-1
opensmtpdopensmtpd>= 0 < 6.6.2p1-16.6.2p1-1
opensmtpdopensmtpd>= 0 < 6.6.2p1-16.6.2p1-1
opensmtpdopensmtpd>= 0 < 5.4.1p1-1ubuntu0.1~esm15.4.1p1-1ubuntu0.1~esm1
opensmtpdopensmtpd>= 0 < 5.7.3p2-1ubuntu0.1~esm25.7.3p2-1ubuntu0.1~esm2

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts by monitoring SMTP MAIL FROM fields for shell metacharacters (e.g., '$', '|') in the local part of the address, which are characteristic of CVE-2020-7247 exploitation.
  • Use Qualys QQL query to find impacted hosts: vulnerabilities.vulnerability.qid:50097 or vulnerabilities.vulnerability.cveIds:`CVE-2020-7247`
  • ·The vulnerability only affects the 'uncommented' default configuration of OpenSMTPD; non-default configurations may not be exposed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.