Attacker Value

Very High

(2 users assessed)

Exploitability

Very High

(2 users assessed)

User Interaction

CVE-2020-7247

Disclosure Date: January 29, 2020 •

CVE-2020-7247 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

Description

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the “uncommented” default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Add Assessment

wvu-r7 (437)

February 25, 2020 11:23pm UTC (4 years ago)•Edited 4 years ago

Technical Analysis

Exploit: https://github.com/rapid7/metasploit-framework/pull/12889.

busterb (317)

February 26, 2020 1:05am UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

Expect that this may be the first in a string of OpenSMTP vulnerabilities (now that there’s increased scrutiny, not because I have any kind of insider knowledge), but that the results of this vulnerability will probably be an improvement in OpenSMTP’s design as a result, since bug classes like this tend to get the OpenBSD developers working hard to find general solutions in subsequent releases.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

canonical,
debian,
fedoraproject,
openbsd

Products

debian linux 10.0,
debian linux 9.0,
fedora 32,
opensmtpd 6.6,
ubuntu linux 18.04,
ubuntu linux 19.10

Metasploit Modules

OpenSMTPD MAIL FROM Remote Code Execution (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: March 28, 2022 4:40pm UTC (2 years ago)

References

Rapid7

Very High

CVE-2020-7247

Very High

Very High

None

None

Network

CVE-2020-7247

Description

Add Assessment

Technical Analysis

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2020-7247

Very High

Very High

None

None

Network

CVE-2020-7247

Description

Add Assessment

Technical Analysis

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification