cbcvebase.
CVE-2020-8794
published 2020-02-25

CVE-2020-8794: OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this…

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
88.53%
99.8th percentile
OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.

Affected

15 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianopensmtpd< opensmtpd 6.6.4p1-1 (bookworm)opensmtpd 6.6.4p1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
opensmtpdopensmtpd< 6.6.46.6.4
opensmtpdopensmtpd>= 0 < 6.6.4p1-16.6.4p1-1
opensmtpdopensmtpd>= 0 < 6.6.4p1-16.6.4p1-1
opensmtpdopensmtpd>= 0 < 6.6.4p1-16.6.4p1-1
opensmtpdopensmtpd>= 0 < 6.6.4p1-16.6.4p1-1
opensmtpdopensmtpd>= 0 < 6.0.3p1-1ubuntu0.26.0.3p1-1ubuntu0.2
opensmtpdopensmtpd>= 0 < 5.4.1p1-1ubuntu0.1~esm15.4.1p1-1ubuntu0.1~esm1
opensmtpdopensmtpd>= 0 < 5.7.3p2-1ubuntu0.1~esm25.7.3p2-1ubuntu0.1~esm2

Detection & IOCsextracted from sources · hover to see the quote

other1010190 - OpenBSD OpenSMTPD 'mta_io' Out Of Bounds Read Vulnerability (CVE-2020-8794)
other37303: SMTP: OpenBSD OpenSMTPD mta_io Out-of-Bounds Read Vulnerability
otherRule 4355: CVE-2020-8794 - OPENSMTPD RCE EXPLOIT - SMTP (RESPONSE)
  • Inspect SMTP server responses for injected newline characters in reply buffers; exploitation embeds newlines to modify the OpenSMTPD mail envelope and change the message type to MDA for arbitrary command execution.
  • Monitor for SMTP bounce sequences where a remote server first responds with a temporary error and then follows up with a fatal error to force an OpenSMTPD server restart — a pattern indicative of server-side exploitation.
  • Flag OpenSMTPD versions prior to 6.6.4 as vulnerable; versions released after May 2018 allow command execution as root, while earlier versions (from 5.7.1) allow execution as non-root users.
  • ·The vulnerability resides in the client-side MTA code (mta_session.c / mta_io), not the server listener. Server-side exploitation is possible only indirectly via bounce handling, which causes the server to invoke the vulnerable client code.
  • ·Server-side exploitation requires the attacker to avoid sending a permanent error on the first bounce, because OpenSMTPD automatically discards double bounces; a temporary error must be used first, followed by a fatal error after a server restart.
  • ·The patch (version 6.6.4) adds a length check requiring the final reply line to be greater than 4 characters before processing; detections targeting unpatched behaviour should account for this boundary condition.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.