Timo Longin @login introduces SMTP smuggling, a novel technique to spoof fully SPF-validated emails from various popular domains including @microsoft.com.
Wow. It's incredible nobody found this before. It's the first of its kind. Probably not the last...!
For those that have been sleeping on #SMTPsmuggling, there have been some interesting things going on ITW, especially against orgs using certain email protection services that claim to not be vulnerable to it.
"Here's the problem."
"Here's why it's a problem."
"Here's how we inadvertently exacerbated one part of the problem."
"That bit admittedly sucked, and we're sorry for the trouble we caused."
In 24h + 40 minutes, the #SMTPSmuggling presentation by Timo Longin from SEC consult will start at #37C3. Maybe someone in the audience can ask about the weird shenanigans of not informing open source projects like postfix, exim, sendmail directly back in June and instead causing frantic hard work for them during Christmas. https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.html
The #SMTPSmuggling attack is being mitigated and tracked in the following CVEs:
CVE-2023-51764 postfix
CVE-2023-51765 sendmail
CVE-2023-51766 exim
All three CVEs have been filed today by the community and NOT by SEC consult who discovered the flaw in June 2023 but decided to not share their findings with postfix, sendmail or exim. Only after they published their post on 2023-12-18, the communities have become aware and are now working hard to fix what is now more a 0day :(
Reading about the recent SMTP and SSH vulnerabilities, I get the impression that open source projects, proprietary vendors and government agencies such as @certbund don't know how to talk to each other. They should at least have something like a red phone.
Please comment here if you have a constructive idea on how to improve the situation! #SECconsulting seems to assume that everyone uses #VINCE, a CMU service I had never heard of.
I don't know who needs to read this, since there are probably 12 #Slackware users out there, but a new version of postfix is out for Slackware 15, with a patch for "smtp-smuggling":
@ParadeGrotesque
I haven't seen any sign that #Debian has issued patches to address #SMTPsmuggling yet either.
For the benefit of others the #postfix link you cite above includes configuration workarounds which wisdom would see admins apply to postfix instances on whatever platform.
Admins of other MTAs should check their susceptibility too.
Security: with "smtpd_forbid_bare_newline = yes" (default "no" for Postfix < 3.9), reply with "Error: bare <LF> received" and disconnect when an SMTP client sends a line ending in <LF>, violating the RFC 5321 requirement that lines must end in <CR><LF>. This prevents SMTP smuggling attacks that target ... https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059230
Presenter #TimoLongin found an exploit in SMTP, notified commercial vendors GMX, Microsoft & Cisco in July, then published a blog post in the week before Christmas that describes how the attack works. Free software maintainers and admins were not warned in advance and had to rush to build workarounds.
Would've loved to talk to him about his idea of "responsible disclosure".
So, apparently, SEC did, via CERT/CC, contact Postfix months ago, but not with enough details about the attack to make Wietse or CERT think that Postfix was vulnerable. Then they fleshed out their blog post (that clearly mentions Postfix being vulnerable), but did not talk to Postfix again before releasing the article.
Ok, even Wietse thinks that Timo should hold his talk. I'm not sure the admins who had to fix their servers the week before Christmas all agree, and it feels wrong to give someone who clearly mainly thinks about corporations a stage at a community event, but well, I rest my case.
I understand SEC's perspective. "We've told that central global organization that is super experienced in managing large scale security issues, they've told the vendors, but apparently nobody thinks this is a big deal, so yeah, let's publish the blog post then."
So, if what SEC says is true, then CERT/CC has fucked up. But of course SEC could've also talked to Postfix on their own. But why would they, CERT/CC already did.
This was all a big dumb game of telephone, it seems.
After having been informed by @mathieui that #Exim is also affected, I compiled a list of what #SECConsult documented and what has been found out in the meantime. SEC Consult documented 11 mail systems (software and/or providers; many with millions of accounts) vulnerable to some form of #SMTPSmuggling. But they only informed 3. With #Exim also vulnerable (apparently presumed "clean" by SEC Consult), the list is now 12. https://netfuture.ch/2023/12/smtp-smuggling-status/