The security errors in software development is something that happens constantly, and soemtimes the developers barely find new reports after finishing the earlier repairs. According to specialists in digital forensic, only a few weeks after repairing a critical vulnerability in OpenSMTPD, the email server of OpenBSD, a new report appeared about 2 aditional errors.
This is a divulgation error of local information of medium severity that could be exploited remotely to execute arbitrary commands in a vulnerable device, said the investigators of the security brand Qualys, in charge of the report.
Identified as CVE-2020-8793, this is a reduced risk error which exploitation would allow a local malicious actor without privileges to read the first line of an arbitrary archive or the complete content of the archive from other user. The investigators in digital forensic also developed a concept test, which showed to be functional in the most recent versions of OpenBSD and Fedora.
By the other hand, CVE-2020-8794 is a reading defect out of the limits introduced in december 2015 and can bring it to the command executions of arbitrary shell as a root user or any other user, depending of the vulnerable version of OpenSMTPD. Given the fact that it is inside the code next to the client of OpenSMTPD, it is possible to unleash two different attacking scenarios.
- Explot in the client’s side: It is possible to exploit this error remotely in the default configuration of OpenSMTPD executing arbitrary shell commands in the vulnerable installation
- Exploit in the server’s side: An attacker connected to the OpenSMTPD server can exploit the vulnerability to execute shell commands, block the service and wait for it to be resetted for the admin or that it resets automatically.
The two vulnerabilities have been corrected, so it is recommended that the administrators of implementations patch the updates ASAP. Specialists in digital forensic from the International Institute of Cyber Security (IICS) said that the error of the remote execution code reported earlier was exploited in real scenarios after the public divulgation of the error. In this time, to prevent any risk, the concept test will be revealed once the industry considers that the active exploit risk is over.