Multiple vulnerabilities in qmail netqmail
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-3811 CVE-2020-3812 |
| CWE-ID | CWE-20 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
netqmail Server applications / Mail servers Debian Linux Operating systems & Components / Operating system |
| Vendor |
qmail Debian |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU34380
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-3811
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
qmail-verify as used in netqmail 1.06 is prone to a mail-address verification bypass vulnerability.
MitigationInstall update from vendor's website.
Vulnerable software versionsnetqmail: 1.06
Debian Linux: 1.06 - 9.0
CPE2.3- cpe:2.3:a:qmail:netqmail:1.06:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:1.06:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
http://bugs.debian.org/961060
http://lists.debian.org/debian-lts-announce/2020/06/msg00002.html
http://www.debian.org/security/2020/dsa-4692
http://www.openwall.com/lists/oss-security/2020/05/19/8
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU34381
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-3812
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker's home directory, without dropping its privileges first.
MitigationInstall update from vendor's website.
Vulnerable software versionsnetqmail: 1.06
Debian Linux: 1.06 - 9.0
CPE2.3- cpe:2.3:a:qmail:netqmail:1.06:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:1.06:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
http://bugs.debian.org/961060
http://lists.debian.org/debian-lts-announce/2020/06/msg00002.html
http://www.debian.org/security/2020/dsa-4692
http://www.openwall.com/lists/oss-security/2020/05/19/8
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
