9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
Qualys Research Labs found that the smtp_mailaddr()
function in OpenSMTPD version 6.6 does not properly sanitize user input, which could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root.
OpenSMTPD is an open-source server-side implementation of the Simple Mail Transfer Protocol (SMTP) that is part of the OpenBSD Project. OpenSMTPD’s smtp_mailaddr()
function is responsible for validating sender and recipient mail addresses. If the local part of an address is invalid and the domain name is empty, smtp_mailaddr()
will automatically add a domain name as opposed to failing because of the invalid local address. This will allow the invalid local address to pass through the function without validation.
An attacker could send a malformed SMTP message that will bypass the smtp_mailaddr()
validation and execute arbitrary code. This could allow a local attacker to escalate their privileges, and allow either a local or remote attacker to execute arbitrary code as root.
Apply an update
OpenBSD has released a patch in OpenSMTPD version 6.6.2p1 to address this vulnerability.
390745
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 31, 2020 Updated: January 31, 2020
Affected
We have not received a statement from the vendor.
OpenSMTPD version 6.6.2p1-r0 has been implemented in the latest version of Alpine Linux.
Notified: January 31, 2020 Updated: February 03, 2020
Statement Date: January 31, 2020
Affected
This affected Debian and has been adressed:<https://www.debian.org/security/2020/dsa-4611>
We are not aware of further vendor information regarding this vulnerability.
Updated: January 31, 2020
Affected
We have not received a statement from the vendor.
OpenBSD has released a patch in OpenSMTPD version 6.6.2p1 to address this vulnerability.
Updated: February 07, 2020
Affected
CVE-2020-7247 has been patched in the following Ubuntu releases:
18.04 Bionic Beaver: OpenSMTPD 6.0.3p1-1ubuntu0.1
19.10 Eoan Ermine: OpenSMTPD 6.0.3p6-1ubuntu0.1
Please see USN-4268-1 (<https://usn.ubuntu.com/4268-1/>) for more details.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: March 09, 2020
Statement Date: March 06, 2020
Not Affected
Our products are not impacted by this issue.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: February 03, 2020
Not Affected
No products Arista Networks sells are affected by VU#390745 aka CVE-2020-7247. This is due to that library not being used nor included in any of the products.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: February 04, 2020
Statement Date: February 03, 2020
Not Affected
Container Linux does not ship OpenSMTPD and so is not vulnerable.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: February 03, 2020
Not Affected
F5 Networks products are not affected as OpenSMTPD is not included. For products that are installed on a host OS (virtual edition, etc.) the presence of OpenSMTPD will depend on the host OS and not the F5 product. Customers are advised to check with the host OS vendor to determine if their platform is affected.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: February 04, 2020
Not Affected
FreeBSD has never shipped with OpenSMTPD installed by default.
We do provide OpenSMTPD as part of our third-party package collection and users can also build the package from our ports tree. The port was updated on Wednesday 29th January at 02:55 UTC and the fix was merged to the 2020Q1 quarterly branch on Friday 31st January at 09:37 UTC.
Pre-built packages of the updated port have been available on our mirrors since Thursday 30th January 2020 at 14:16 UTC (head) and Sunday 2nd February 2020 at 01:10 UTC (quarterly).
OpenSMTPD version 6.6.2p1-r0 has been implemented in the latest version of FreeBSD.
Notified: January 31, 2020 Updated: February 03, 2020
Not Affected
None of the most popular illumos distributions (OpenIndiana, SmartOS, OmniOSce) ship with OpenSMTPD. A cursory survey of others indicates no OpenSMTPD either.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: February 03, 2020
Not Affected
NetBSD is not vulnerable - we do not ship/have never shipped OpenSMTPD.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: February 05, 2020
Not Affected
QNX is not vulnerable - OpenSMTPD has not shipped as part of our product.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: February 03, 2020
Statement Date: February 01, 2020
Not Affected
Neither SUSE nor openSUSE do not include opensmtpd, so SUSE is not affected by this problem.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: February 03, 2020
Statement Date: February 03, 2020
Not Affected
Synology does not employ OpenSMTPD for our products, including MailPlus [1] and Mail Station [2].
[1] <https://www.synology.com/dsm/feature/mailplus>
[2] <https://www.synology.com/dsm/packages/MailStation>
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: February 03, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 31, 2020 Updated: January 31, 2020
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 48 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 10 | E:ND/RL:ND/RC:ND |
Environmental | 10.0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
Thanks to Qualys Research Labs for reporting this vulnerability.
This document was written by Madison Oliver.
CVE IDs: | CVE-2020-7247 |
---|---|
Date Public: | 2020-01-28 Date First Published: |
blog.qualys.com/laws-of-vulnerabilities/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247
github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.2p1
poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
tools.ietf.org/html/rfc821
www.debian.org/security/2020/dsa-4611
www.openbsd.org/
www.opensmtpd.org/
www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%