Critical Flaw In OpenSMTPD Found, Patched

A critical vulnerability
has been found in OpenSMTPD that if exploited could allow an attacker to execute
arbitrary code.

The flaw, CVE-20207247, was discovered
by Qualys Research Labs and affects OpenSMTPD version 6.6, which does not
properly sanitize user input which could lead to a local attacker being able to
to escalate their privileges, and allow either a local or remote attacker to
execute arbitrary code as root.

The
open-source OpenSMTPD’s smtp_mailaddr() function is responsible for validating
sender and recipient mail addresses. The problem is that if the local part of
an address is invalid and the domain name is empty the software will
automatically add a domain name instead of just failing because of the invalid
local address. This will allow the invalid local address to pass through the
function without validation.

This can be
triggered if an attacker sends a malformed address, as described above, which
will bypass the smtp_mailaddr() validation and execute arbitrary code. This
ability could then be used by the malicious actor to execute arbitrary code.

The Carnegie
Mellon University Software Engineering Institute is recommending users upgrade
to OpenSMTPD version
6.6.2p1.

Topics:

Email Security

Source: https://www.scmagazine.com/home/security-news/vulnerabilities/critical-flaw-in-opensmtpd-found-patched/

Generative Data Intelligence

Critical flaw in OpenSMTPD found, patched

Topics:

Carbon Literacy for Education Discount Scheme – The Carbon Literacy Project

Wellington region’s new low carbon transport strategy

Latest Intelligence

Capital receives first delivery of sustainable aviation fuel

Legacy carmakers face brand loyalty challenges as EV competitors emerge

Pentagon extends Midlands footprint with BYD dealerships

What is Bagging in Machine Learning?

2024 NBA Mock Draft June 26

Fundamentals of Data Collaboration – DATAVERSITY