Bug 1162417 (CVE-2020-7247)

Summary:	VUL-0: CVE-2020-7247: opensmtpd: remote code execution
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Critical
Priority:	P5 - None	CC:	smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/252051/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Marcus Meissner 2020-02-01 07:15:30 UTC

CVE-2020-7247

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and
other products, allows remote attackers to execute arbitrary commands as root
via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL
FROM field. This affects the "uncommented" default configuration. The issue
exists because of an incorrect return value upon failure of input validation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7247
http://seclists.org/oss-sec/2020/q1/40
http://www.openwall.com/lists/oss-security/2020/01/28/3
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7247.html
https://www.debian.org/security/2020/dsa-4611
http://www.debian.org/security/-1/dsa-4611
https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7247
https://www.openbsd.org/security.html
https://seclists.org/bugtraq/2020/Jan/51
http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html
http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950121

Comment 1 Marcus Meissner 2020-02-01 07:15:54 UTC

SUSE does not ship or use opensmtpd.