A critical vulnerability
has been found in OpenSMTPD that if exploited could allow an attacker to execute
arbitrary code.

The flaw, CVE-20207247, was discovered
by Qualys Research Labs and affects OpenSMTPD version 6.6, which does not
properly sanitize user input which could lead to a local attacker being able to
to escalate their privileges, and allow either a local or remote attacker to
execute arbitrary code as root.

The
open-source OpenSMTPD’s smtp_mailaddr() function is responsible for validating
sender and recipient mail addresses. The problem is that if the local part of
an address is invalid and the domain name is empty the software will
automatically add a domain name instead of just failing because of the invalid
local address. This will allow the invalid local address to pass through the
function without validation.

This can be
triggered if an attacker sends a malformed address, as described above, which
will bypass the smtp_mailaddr() validation and execute arbitrary code. This
ability could then be used by the malicious actor to execute arbitrary code.

The Carnegie
Mellon University Software Engineering Institute is recommending users upgrade
to OpenSMTPD version
6.6.2p1
.