CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
70.0%
A vulnerability has been found in the way that SMTP servers and software handle the end-of-data sequences (essentially the end of a single email message) in mail messages. An attacker can use this inconsistency to craft an email message that can bypass SMTP security policies.
SMTP protocol (refer RFC 5321 and 5322), is an Internet based protocol for e-mail transmission and exchange. The SMTP protocol is used by multiple servers to relay emails as the email is exchanged between a sender and a recipient. This handover of emails allows for a complex number of next-hop servers to interact and exchange emails before its delivery to the intended recipient. A priority based Mail eXchange (MX) record also allows for emails to delivered to alternate servers or partner gateways to spool and deliver in cases of outages. In order prevent fraudulent emails, email software and services authenticate a user and employ security policies such DMARC, essentially a combination of SPF and DKIM, to certify an email’s origination as it traverse these various services.
Security researcher Timo Longin at SEC Consult discovered that the email software deployed across numerous SMTP servers treats the end-of-data sequence inconsistently. An attacker can exploit this inconsistency by crafting an email message that deviates from the standard end-of-data sequence, causing confusion as the message is transferred to its next hop. Any email server within the route of SMTP Gateways processing this manipulated message may interpret the submitted data as multiple messages, then process and relay them forward. Postfix software developer Wietse Venema explained:
> The attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than CR LF
SEC-Consult researchers have labeled this vulnerability as “SMTP Smuggling” to discuss this problem that involves multiple stakeholders such as email service providers, email software vendors, email security product vendors and others that process and handle emails.
VU#302671 An improper end-of-data sequence handling vulnerability in email software or services or appliances allow attackers to inject arbitrary email message that can bypass security policies.
An Openwall community discussion also lead to the reservation of the following CVE numbers
Exim | CVE-2023-51766 |
---|---|
Postfix | CVE-2023-51764 |
Sendmail | CVE-2023-51765 |
An attacker with access to an SMTP service can craft an email with improper end-of-data sequencing to submit two or more email messages that can be used to bypass security policy. When the attack is successful, the attacker can impersonate any sender in any domain that is hosted at the originating mail service. The attacker is then capable of avoiding In-place email handling policies, since email security scanners and gateways that analyze the message will fall prey to the improper sequencing of the message. A successful attack enables the attacker to impersonate any sender in any domain that is hosted at the originating mail service.
Please ensure your email software is up to date and you have applied the right workaround and/or patches provided by your software vendor. Check the Vendor Information section for instructions and links to the either respective advisories. If you use Email Security Appliances or managed Email Gateways ensure their software is both up to date and is configured best to mitigate these attacks and reduce the risk of improper message relay to other SMTP servers. Ensure any email backup MX records and services that may be hosted by partners are also protected from misuse or abuse. Email service providers are also urged to ensure that the email sender verification and header verifications are performed on every email to ensure identity of the authenticated sender is properly represented in the submitted emails.
As email sender verification continues to be a challenge in the Internet, email users are urged to continue their precaution when replying to emails to provide sensitive information or when clicking on links that can download or install malicious software.
SEC-Consult have provided both software and a website to support analysis of the various service providers and software vendors to ensure their software and services can be verified against these attacks.
Thanks to the reporter Timo Longin from SEC Consult. This document was written by Timur Snoke and Vijay Sarvepalli
302671
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2024-01-11 Updated: 2024-01-16
Statement Date: January 14, 2024
VU#302671.1 | Affected |
---|
SurgeMail is vulnerable to the SMTP Smuggling Injection issue as it is unduly ‘forgiving’ when it comes to line termination in line with other common mail servers. This flexibility was originally added to allow legacy or ‘bad’ email clients/scripts to work.
As a quick fix add the setting:
g_lf_fix_off “true”
Future releases will work correctly regardless of the above setting.
If your system needs this legacy behaviour for some reason please upgrade to SurgeMail 7.7l3 or later then set g_lf_fix_list “1.2.3.4” to the ip address of any legacy device.
See this page for updated information: https://surgemail.com/knowledge-base/smtp-smuggling/
Notified: 2023-12-21 Updated: 2024-01-17
Statement Date: January 17, 2024
VU#302671.1 | Affected |
---|---|
Vendor Statement: | |
Affected. When receiving email from an originating email service that passes on non-standard end-of-data forms in message content, Postfix as a destination SMTP server did not distinguish between a smuggled message or a non-smuggled message, and subjected each message to the exact same policies with respect to envelope, headers, and content, whereas the smuggled envelope and headers had not been subject to the originating email service policies. Opt-in fixes have been released for supported Postfix releases 3.5, 3.6, 3.7, 3.8. An opt-out fix is available for Postfix 3.9. | |
References: |
Postfix versions prior to 3.8.4, 3.7.9, 3.6.13, and 3.5.23 accept non-standard End-of-DATA sequences, and are therefore affected by SMTP smugglling. For more information, see https://www.postfix.org/smtp-smuggling.html
Notified: 2023-09-14 Updated: 2024-01-31
Statement Date: January 31, 2024
VU#302671.1 | Affected |
---|
Open source sendmail is affected by this vulnerability. A fix is part of the sendmail 8.18.1 release. This version enforces stricter RFC compliance by default, especially with respect to line endings. This may cause issues with receiving messages from non-compliant MTAs; please see the release notes for mitigations.
Notified: 2023-09-14 Updated: 2024-01-18
Statement Date: January 18, 2024
VU#302671.1 | Not Affected |
---|
The behavior on Cisco Secure Mail is configurable.
Cisco recommends using the default “Clean messages of bare CR and LF characters” option because it provides the best compromise between security and interoperability. However, customers using this setting should be aware of the security implications in regards to smuggled content. Customers who want to enforce RFC compliance should choose “Reject messages with bare CR or LF characters,” being aware of the potential interoperability issues.
In any case, Cisco strongly recommends configuring and using features such as SPF, DomainKeys Identified Mail (DKIM), or DMARC in order to validate the sender of an incoming message.
Notified: 2024-01-02 Updated: 2024-01-16
Statement Date: January 11, 2024
VU#302671.1 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16
Statement Date: January 12, 2024
VU#302671.1 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16
Statement Date: September 27, 2023
VU#302671.1 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-12-22 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-14 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-11 Updated: 2024-01-16 VU#302671.1 | Unknown |
---|
We have not received a statement from the vendor.
View all 45 vendors __View less vendors __
API URL: | VINCE JSON | CSAF
—|—
Date Public: | 2024-01-16 Date First Published:| 2024-01-16 **Date Last Updated: **| 2024-01-31 18:07 UTC **Document Revision: ** | 6