CISA KEV 정보
| 취약점명 | OpenSMTPD Remote Code Execution Vulnerability |
|---|---|
| 설명 | smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session. |
| 조치사항 | Apply updates per vendor instructions. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-755 | CWE-78 |
| 등록일 (KEV) | 2022-03-25 |
| 조치 기한 | 2022-04-15 |
| 추가 참고 | https://nvd.nist.gov/vuln/detail/CVE-2020-7247 |
NVD 상세 정보
CVSS v3.1: 9.8 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVSS v2.0: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C설명: smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
CWE: CWE-78 | CWE-755 | CWE-755
참조
- http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html [Exploit, Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html [Exploit, Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html [Exploit, Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html [Exploit, Third Party Advisory, VDB Entry]
- http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html [Broken Link, Third Party Advisory, VDB Entry]
- http://seclists.org/fulldisclosure/2020/Jan/49 [Exploit, Mailing List, Third Party Advisory]
- http://www.openwall.com/lists/oss-security/2020/01/28/3 [Exploit, Mailing List, Third Party Advisory]
- https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45 [Patch]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/ [Mailing List, Third Party Advisory]
- https://seclists.org/bugtraq/2020/Jan/51 [Mailing List, Third Party Advisory]
- https://usn.ubuntu.com/4268-1/ [Third Party Advisory]
- https://www.debian.org/security/2020/dsa-4611 [Mailing List, Third Party Advisory]
- https://www.kb.cert.org/vuls/id/390745 [Third Party Advisory, US Government Resource]
- https://www.openbsd.org/security.html [Patch, Vendor Advisory]
- http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html [Exploit, Third Party Advisory, VDB Entry]
- ... 외 14건
This product uses the NVD API but is not endorsed or certified by the NVD.