CVE-2020-7845 – CVE-2020-7845 is a stack-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2020-7845?

CVE-2020-7845 has a CVSS score of 8.1 (HIGH). CVE-2020-7845 is a stack-based buffer overflow vulnerability in Spamsniper email security software versions 5.0 through 5.2.7. It allows remote attackers to execute arbitrary code by sending a specially crafted MAIL FROM command. Organizations using vulnerable Spamsniper versions for email filtering are affected.

📋 TL;DR

CVE-2020-7845 is a stack-based buffer overflow vulnerability in Spamsniper email security software versions 5.0 through 5.2.7. It allows remote attackers to execute arbitrary code by sending a specially crafted MAIL FROM command. Organizations using vulnerable Spamsniper versions for email filtering are affected.

💻 Affected Systems

Products:

Spamsniper

Versions: 5.0 ~ 5.2.7

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Spamsniper installations with SMTP processing enabled. The software is primarily used in Korean organizations.

📦 What is this software?

Spamsniper by Jiransecurity

View all CVEs affecting Spamsniper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Service disruption, denial of service, or limited code execution depending on exploit sophistication and system hardening.

🟢

If Mitigated

Denial of service or crash of the Spamsniper service without code execution if exploit fails or protections like DEP/ASLR are effective.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via email protocol (SMTP) which is typically internet-facing.

🏢 Internal Only: MEDIUM - Could be exploited internally if attacker has network access to the Spamsniper server.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a malicious MAIL FROM command, which is part of standard SMTP protocol and doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.8 or later

Vendor Advisory: https://www.jiransecurity.com/

Restart Required: Yes

Instructions:

1. Download Spamsniper version 5.2.8 or later from the vendor website. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the Spamsniper service. 5. Verify the new version is running.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict SMTP access to Spamsniper server to only trusted email sources

Input Validation Filter

all

Deploy network filter or proxy to validate MAIL FROM command length before reaching Spamsniper

🧯 If You Can't Patch

Isolate the Spamsniper server in a DMZ with strict firewall rules limiting SMTP access
Implement network-based intrusion prevention system (IPS) with rules to detect buffer overflow attempts in SMTP commands

🔍 How to Verify

Check if Vulnerable:

Check Spamsniper version in the software interface or registry: HKEY_LOCAL_MACHINE\SOFTWARE\JiranSecurity\Spamsniper\Version

Check Version:

reg query "HKLM\SOFTWARE\JiranSecurity\Spamsniper" /v Version

Verify Fix Applied:

Verify version is 5.2.8 or higher and test SMTP functionality with normal email traffic

📡 Detection & Monitoring

Log Indicators:

Unusually long MAIL FROM commands in SMTP logs
Spamsniper service crashes or restarts
Error messages related to buffer overflow

Network Indicators:

SMTP packets with MAIL FROM commands exceeding typical length (e.g., > 1000 characters)
Multiple connection attempts to Spamsniper SMTP port (typically 25)

SIEM Query:

source="spamsniper_logs" AND ("MAIL FROM" AND length>1000) OR "buffer overflow" OR "access violation"

📊 Metadata

CVE ID: CVE-2020-7845

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: December 27, 2020

Last Updated: November 21, 2024

🔗 References

https://www.jiransecurity.com/ Vendor Advisory
https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35855 Third Party Advisory
https://www.jiransecurity.com/ Vendor Advisory
https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35855 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7845, you might also want to check these: