Hello “SMTP Smuggling” information released days before the Holiday season to open source SMTP server teams
Posted by jpluimers on 2023/12/24
Jan Wildeboer was mad for good reasons, though the open source projects didn’t yet seem to publicly have show their real madness, just bits like [Wayback/Archive] oss-security – Re: Re: New SMTP smuggling attack:
I'm a little confused by sec-consult's process here. They identify a problem affecting various pieces of software including some very widely deployed open source software, go to the trouble of doing a coordinated disclosure, but only do that with...looking at their timeline... gmx, microsoft and cisco?
“SMTP Smuggling” is bad, and big open source SMTP server projects like exim, postfix and sendmail needed to assess and fix/prevent the issue on very short notice: effectively confronting them with a zero-day less than a week between the information got released and the Holiday season.
That gives “deploy on Fridays” a totally different dimension.
How bad? Well, it already managed to reach this Newline – Wikipedia entry:
The standard Internet Message Format[26] for email states: “CR and LF MUST only occur together as CRLF; they MUST NOT appear independently in the body”. Differences between SMTP implementations in how they treat bare LF and/or bare CF characters have led to so-called SMTP smuggling attacks[27].
The crux of the problem is very well described by the “Postfix: SMTP Smuggling” link below: recommended reading, and the middle of [Wayback/Archive] SMTP Smuggling – Spoofing Emails Worldwide | Hacker News
…
TLDR: In the SMTP protocol, the end of the payload (email message) is indicated by a line consisting of a single dot. The line endings normally have to be CRLF, but some MTAs also accept just LF before and/or after the dot. This allows SMTP commands that follow an LF-delimited dot line to be “tunneled” through a first MTA (which requires CRLF and thus considers the commands to be part of the email message) to a second MTA (which accepts LF and thus processes the commands as real commands). For the second MTA, the commands appear to come from the first MTA, hence this allows sending any email that the first MTA is authorized to send. That is, emails from arbitrary senders under the domains associated with the first MTA can be spoofed.
…
Here are some links to keep you busy the next hours/days/weeks:
- [Wayback/Archive] CVE-2023-51764 postfix
- [Wayback/Archive] CVE-2023-51765 sendmail
- [Wayback/Archive] CVE-2023-51766 exim
- [Wayback/Archive] hannob/smtpsmug
Script to help analyze mail servers for SMTP Smuggling vulnerabilities.
And the toots linking to background information:
- [Wayback/Archive] Jan Wildeboer 😷:krulorange:: “The #SMTPSmuggling attack is b…” – social.wildeboer.net
The #SMTPSmuggling attack is being mitigated and tracked in the following CVEs:
– CVE-2023-51764 postfix
– CVE-2023-51765 sendmail
– CVE-2023-51766 eximAll three CVEs have been filed *today* by the respective projects and NOT by SEC consult who discovered the flaw in June 2023 but decided to not share their findings with postfix, sendmail or exim. Only after they published their post on 2023-12-18, the communities have become aware and are now working hard to fix what is now more a 0day :(
- [Wayback/Archive] Jan Wildeboer 😷:krulorange:: “What a wonderful way for open …” – social.wildeboer.net
What a wonderful way for open source developers to go into the holiday season. This gives the “push to prod on Friday” joke a whole new meaning. SEC consult made some sort of excuse for their behaviour of not sharing this earlier but will give a talk on the topic at 37C3 on day one nevertheless.
- [Wayback/Archive] Jan Wildeboer 😷:krulorange:: “The current workaround for #postfix…” – social.wildeboer.net
The current workaround for #postfix is to add
smtpd_data_restrictions = reject_unauth_pipeliningsmtpd_discard_ehlo_keywords = chunkingto
main.cf. See https://www.postfix.org/smtp-smuggling.html for more details.[Wayback/Archive] Postfix: SMTP Smuggling (updated frequently)
- [Wayback/Archive] Jan Wildeboer 😷:krulorange:: “#exim is tracking this in thei…” – social.wildeboer.net
#exim is tracking this in their bug report at https://bugs.exim.org/show_bug.cgi?id=
[Wayback/Archive] Exim: Bug 3063 – Partially vulnerable to “SMTP Smuggling” if pipelining is enabled and chunking is disabled/unused
- [Wayback/Archive] Jan Wildeboer 😷:krulorange:: “For #sendmail some mitigation…” – social.wildeboer.net
For #sendmail some mitigation details at https://www.openwall.com/lists/oss-securit
[Wayback/Archive] oss-security – Re: New SMTP smuggling attack
And these:
- [Wayback/Archive] Rob: “@jwildeboer where can I read m…” – Fosstodon
@jwildeboer where can I read more about their excuse? On the surface this sounds like pretty shocking behaviour.
[Wayback/Archive] Rob: “@jwildeboer for anyone else ge…” – Fosstodon
@jwildeboer for anyone else getting here an embarrassingly quick search found me the answer https://sec-consult.com/blog/detail/sm
[Wayback/Archive] SMTP Smuggling – Spoofing E-Mails Worldwide – SEC Consult
And yes, I am in favour of deploying on Fridays, but not under big stress when the work to be done has not been assessed yet.
Reddit [Wayback/Archive] You should deploy on Fridays : devops
[Wayback/Archive] You should deploy on Fridays | Baselime Blog
Query: [Wayback/Archive] “SMTP Smuggling” – Google Search.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment