Mail server

Qualys Reveals Critical OpenBSD Mail Server Security Vulnerability

Qualys Research Labs this week revealed a security flaw in the OpenSMTPD mail server used in the OpenBSD operating system that allows a cyberattacker to execute arbitrary shell commands with elevated root-level privileges.

Jimmy Graham, senior director of product management for Qualys, said the OpenBSD flaw is serious enough to warrant an immediate fix that has been made available by the OpenBSD community. Additionally, other Linux distributions that might use the OpenSMTPD mail server should apply the patch immediately, Graham said. It’s not yet known whether cybercriminals or nation states have ever discovered this potential exploit to inject code into OpenBSD systems, but now that it’s been leaked, the skill set required to exploit it isn’t particularly high, Graham added.

This vulnerability exists in the “smtp_mailaddr()” function of the OpenBSD OpenSMTPD mail server and affects OpenBSD version 6.6. Exploiting the vulnerability had some limitations in terms of local part length (a maximum of 64 characters is allowed) and characters to escape (“$”, “|”). Qualys researchers were able to overcome these limitations using a technique from the Morris worm by executing the mail body as a shell script in Sendmail.

Graham said Qualys discovered the vulnerability as part of its ongoing research efforts to identify vulnerabilities in widely used software. After the OpenSMTPD mail server vulnerability was discovered, Qualys worked with OpenBSD on the time of disclosure to ensure a fix was available, he said.

The challenge, of course, is that the patch management processes in most organizations are often flawed. In an ideal world, organizations would rely more on a patch management system that automatically tracks and prioritizes vulnerabilities, Graham said. Qualys customers can track all OpenBSD vulnerabilities through the OpenBSD Vulnerability Dashboard.

Ideally, patch management will one day become a more natural extension of any set of best DevSecOps processes. Each new vulnerability discovered will be prioritized as part of a continuous integration/deployment (CI/CD) platform. DevOps teams will then decide, based on the risk level of known vulnerabilities, how much time to spend creating fixes versus adding new features and capabilities. It will then be up to the cybersecurity teams to verify that the patches created have been correctly installed. Perhaps the biggest challenge in DevSecOps right now isn’t so much the technology involved as making two disparate cultures work in a more integrated way.

In the meantime, cybersecurity teams should expect the steady stream of vulnerability disclosures to continue. Organizations may not always appreciate the disruption such disclosures can create, but the alternative is even more unacceptable. There is always a chance that malicious actors are already exploiting a vulnerability that has just been revealed for some time. Once the disclosure is made, it then becomes a race to implement the fix before cybercriminals start actively looking to exploit it. Hopefully one day soon, machine learning algorithms will make it much easier to determine where all these fixes should be applied.

—Michael Vizard