3rd January 2024
Happy New Year from the spotit SOC team!Introduction
On 18th December, security researchers at SEC Consult published their research into an SMTP Smuggling vulnerability affecting many e-mail delivery solutions.
SMTP Smuggling exploits a backwards compatibility feature of the e-mail delivery solutions to allow the sending of spoofed e-mails. Vendors of affected solutions include Microsoft, Cisco, GMX/Ionos, Postfix, Sendmail, and others.
Postfix has now fixed their application and provided some clarity on the workings of the vulnerability:
The attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than <CR><LF>:
- One email service A that does not recognize malformed line endings in SMTP such as in <LF>.<CR><LF> in an email message from an authenticated attacker to a recipient at email service B, and that propagates those malformed line endings verbatim when it forwards that message to:
- One different email service B that does support malformed line endings in SMTP such as in <LF>.<CR><LF>. When this is followed by “smuggled” SMTP MAIL/RCPT/DATA commands and message header plus body text, email service B is tricked into receiving two email messages: one message with the content before the <LF>.<CR><LF>, and one message with the “smuggled” header plus body text after the “smuggled” SMTP commands. All this when email service A sends only one message.
Postfix is an example of email service B. Microsoft’s outlook.com was an example of email service A.
Affected Solutions
- Cisco Secure E-mail Cloud Gateway, formerly “Cisco Cloud E-mail Security” or “CES”
- Microsoft Outlook/Exchange Online
- iCloud
- On-premises Microsoft Exchange Server
- Postfix
- Sendmail
- Startmail
- Fastmail
- Zohomail
Mitigations
Cisco Secure E-mail Cloud Gateway should be configured as follows:
- Change the setting for ‘CR and LF Handling’ to ‘Allow’.
The default ‘Clean’ setting enables Inbound SMTP Smuggling due to processing of the <CR>.<CR> end-of-data sequence.