On 2020-04-08 18:39, Claus Assmann wrote: > - Client-side exploitation: This vulnerability is remotely exploitable > in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
You missed some out. I assume on purpose. Client-side exploitation: This vulnerability is remotely exploitable in OpenSMTPD's (and hence OpenBSD's) default configuration. Although OpenSMTPD listens on localhost only, by default, it does accept mail from local users and delivers it to remote servers. If such a remote server is controlled by an attacker (either because it is malicious or compromised, or because of a man-in-the-middle, DNS, or BGP attack -- SMTP is not TLS-encrypted by default), then the attacker can execute arbitrary shell commands on the vulnerable OpenSMTPD installation. So it does require internal users to make an action and a MITM or outbound connection to an attacker controlled server and not an incoming connection... Qualsys chose to call that remote, at a stretch. Either way, it does not change the point around "everything is hackable" being false. I never brought up smtpd and never said smtpd was unhackable!
