Login Sign Up

CVE-2020-1946

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-1946 is a critical vulnerability in Apache SpamAssassin that allows malicious rule configuration files to execute arbitrary system commands without generating output or errors. This affects all Apache SpamAssassin users before version 3.4.5 who use third-party or untrusted rule configuration files. Attackers can exploit this to achieve remote code execution in various deployment scenarios.

💻 Affected Systems

Products:
  • Apache SpamAssassin
Versions: All versions before 3.4.5
Operating Systems: All operating systems running vulnerable SpamAssassin versions
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires processing malicious .cf files, which could come from untrusted update channels or third-party rule sources.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Spamassassin by Apache

View all CVEs affecting Spamassassin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/system-level access, data exfiltration, ransomware deployment, or complete system takeover.

🟠

Likely Case

Unauthorized command execution leading to data theft, installation of backdoors, or lateral movement within the network.

🟢

If Mitigated

Limited impact with proper access controls and trusted rule sources, potentially only affecting the SpamAssassin process context.

🌐 Internet-Facing: HIGH - SpamAssassin often processes email from untrusted sources, making internet-facing instances prime targets.
🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if they process email from compromised internal sources or use untrusted rule updates.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires delivering malicious .cf files to the SpamAssassin system, which could be achieved through email attachments, compromised update channels, or social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.5

Vendor Advisory: https://s.apache.org/3r1wh

Restart Required: Yes

Instructions:

1. Backup current configuration and rules. 2. Stop SpamAssassin service. 3. Upgrade to SpamAssassin 3.4.5 or later using your package manager (apt-get upgrade spamassassin, yum update spamassassin, etc.). 4. Restart SpamAssassin service. 5. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict rule sources

all

Only use official SpamAssassin update channels and trusted third-party rule sources

# Configure spamassassin to use only trusted update channels
# Edit /etc/spamassassin/update.conf or equivalent configuration file
# Set allowed_channels to trusted sources only

Disable automatic rule updates

linux

Temporarily disable automatic rule updates until patching can be completed

# Set update to 0 in spamassassin configuration
echo 'update 0' >> /etc/spamassassin/local.cf
# Or disable the update cron job
systemctl disable sa-update.timer
crontab -l | grep -v sa-update | crontab -

🧯 If You Can't Patch

  • Implement strict access controls to limit which users can modify SpamAssassin configuration files
  • Monitor and audit all .cf file changes and rule update activities

🔍 How to Verify

Check if Vulnerable:

Check SpamAssassin version: spamassassin -V | grep 'SpamAssassin version' and compare to 3.4.5

Check Version:

spamassassin -V | grep 'SpamAssassin version'

Verify Fix Applied:

Confirm version is 3.4.5 or later: spamassassin -V | grep -q 'version 3\.4\.[5-9]\|version 3\.[5-9]\|version [4-9]' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

  • Unexpected system command execution from spamd or spamassassin processes
  • Unauthorized modifications to .cf files in SpamAssassin rule directories
  • Unusual network connections originating from SpamAssassin processes

Network Indicators:

  • Outbound connections from SpamAssassin to unexpected destinations
  • DNS queries for command and control domains from spamd process

SIEM Query:

process_name:spamd AND (command_line:*sh* OR command_line:*bash* OR command_line:*curl* OR command_line:*wget*)

📊 Metadata

CVE ID: CVE-2020-1946
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: March 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-1946, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)