FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSMTPd -- LPE and RCE in OpenSMTPD's default install

Affected packages
opensmtpd < 6.6.4,1

Details

VuXML ID f0683976-5779-11ea-8a77-1c872ccb1e42
Discovery 2020-02-22
Entry 2020-02-24
Modified 2020-02-27

OpenSMTPD developers reports:

An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

An unprivileged local attacker can read the first line of an arbitrary file (for example, root's password hash in /etc/master.passwd) or the entire contents of another user's file (if this file and /var/spool/smtpd/ are on the same filesystem).

References

CVE Name CVE-2020-8793
CVE Name CVE-2020-8794
URL https://www.openwall.com/lists/oss-security/2020/02/24/4
URL https://www.openwall.com/lists/oss-security/2020/02/24/5