Email or username:

Password:

Forgot your password?
Jan Wildeboer 😷:krulorange:

The #SMTPSmuggling attack is being mitigated and tracked in the following CVEs:

- CVE-2023-51764 postfix
- CVE-2023-51765 sendmail
- CVE-2023-51766 exim

All three CVEs have been filed *today* by the community and NOT by SEC consult who discovered the flaw in June 2023 but decided to not share their findings with postfix, sendmail or exim. Only after they published their post on 2023-12-18, the communities have become aware and are now working hard to fix what is now more a 0day :(

35 comments
Jan Wildeboer 😷:krulorange:

What a wonderful way for open source developers to go into the holiday season. This gives the "push to prod on Friday" joke a whole new meaning. SEC consult made some sort of excuse for their behaviour of not sharing this earlier but will give a talk on the topic at 37C3 on day one nevertheless.

Jan Wildeboer 😷:krulorange:

The current workaround for #postfix is to add

#SMTP smuggling mitigation
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking

to main.cf. See postfix.org/smtp-smuggling.htm for more details.

Erik Ellestad

@jwildeboer I thought it said "snuggling attack" and was pretty psyched.

Jan Wildeboer 😷:krulorange:

If you get Wietse Venema to say "The net result is that an unintended zero-day attack was published, before people had an opportunity to update their affected email systems." you know you have messed up ...

Lauren Weinstein

@jwildeboer I got an email a few minutes ago from a reader of my mailing lists who noted that he was one of the designers of the SPF/DMARC/DKIM ecosystem, pretty much agreeing with my assertion that this isn't really as big a deal as being made out, because so much spam comes now from completely legit (but "fake") domains that pass all these checks.

Jan Wildeboer 😷:krulorange:

@lauren Sure. I'd agree to that too. The bigger problem is that this flaw can severely damage the reputation of small(er) servers, getting them added to blacklists of the Big Mail oligopoly. That's why we mail admins of small servers are (forced to) always working hard to mitigate any possibility of that happening. But mitigations have been published by postfix, exim, sendmail. What bothers me is that this could have all been solved months ago, if done in a different way :(

Jan Wildeboer 😷:krulorange:

@lauren And (at least according to some early checks) this flaw isn't limited to DMARC spoofing. It could potentially be used for phishing and other abusive attacks too. This is why sendmail, exim and postfix (and more, I guess) have decided to treat this with high priority.

Lauren Weinstein

@jwildeboer I don't see how it will make the blacklists any larger. Big Mail (to the extent they are affected) will fix it on their inbound, and the blacklists aren't likely to add servers to the lists that still can be verified via IP-based means like SPF. It's not like this can't be figured out. I haven't seen any sendmail mitigation, by the way, except something that might apply to the very latest version that doesn't even run widely.

Lauren Weinstein

@jwildeboer Anyway, anything smaller servers can do is negligible. They can't do anything outbound to fix this. And at a small scale inbound won't matter much either in the scheme of things compared with "Big Mail".

Jan Wildeboer 😷:krulorange:

@lauren Better safe than sorry, IMHO. I have hardened my mail server against this and I see many other admins do the same. I also see the developers working hard to get fixes done and out. On the day before Christmas. Because SEC consult decided to only share their findings with "Big Mail" and then hoped for 6 months that others (CERT/CC) would inform other affected projects so they could focus on their presentation for 37C3. :(

Rich Felker

@lauren @jwildeboer I think the supposed issue is phishing not spam. But it's still email trying to solve an out-of-scope problem. If your employees can get tricked to disclose credentials by an email, the problem is not that you didn't write a sufficiently draconian filter to block the email. It's that you gave them phishable credentials.

Leah Neukirchen

@jwildeboer @QuatermassTools that's not a fix in exim but just papering over the decade old violation of enforcing proper smtp.

Jan Wildeboer 😷:krulorange:

@leah @QuatermassTools Well, that's kinda how we do e-mail since many years. In many parts it is a fragile pile of workarounds and compromises ...

Anton

@jwildeboer @leah @QuatermassTools let's add SMTP to the pile - alongside BGP and DNS.
FTP shouldn't be a topic any more...

Howard Chu @ Symas

@jwildeboer reject_unauth_pipelining was already set in my config, must've been shipped that way in debian. Didn't see the other setting anywhere yet.

ikt πŸ‡ΊπŸ‡¦

@jwildeboer I don't get it, for Postfix:

Long-term fix

A long-term fix is now available for Postfix 3.8.4, 3.7.9, 3.6.13 and 3.5.23. This stops all forms of the smuggling attacks on recipients at a Postfix server. It introduces a new optional feature that is disabled by default.

--- why is this new security fix disabled by default?

Rob

@jwildeboer where can I read more about their excuse? On the surface this sounds like pretty shocking behaviour.

The Doctor

@jwildeboer I'm telling you - this deserves a pineapple cream pie to the face.

JΓΈrn

@jwildeboer The postfix CVE is NOT filed by the postfix project. The project writes on their page about SMTP smuggling that the CVE is incorrect.

It is indeed incorrect; the CVE states that it’s possible to send mails that appear to originate from a postfix system. This is not the case.

Jan Wildeboer 😷:krulorange:

@jornane Wietse also says on that page that he has sent corrections to the person that filed the CVE, so I guess/hope that will be fixed soon. UPDATE: the CVE has been fixed and now describes the problem in better ways.

🌱 Ligniform :donor:​

@jwildeboer never been happier to have just finished my on-call shift. Good luck everyone in the trenches

Tony Hoyle

@jwildeboer That's awful. What possessed them to hold onto it for that long.. then release at christmas?

Marvin W

@tony @jwildeboer
To quote from their website:
> "As our research was accepted at this year's 37C3 conference (info received on 3rd December) and we still thought that Cisco users should be warned about the vulnerable default configuration, we decided to publish our research before the conference and holidays in order to provide administrators time to re-configure their Cisco configuration."

sec-consult.com/blog/detail/sm

@tony @jwildeboer
To quote from their website:
> "As our research was accepted at this year's 37C3 conference (info received on 3rd December) and we still thought that Cisco users should be warned about the vulnerable default configuration, we decided to publish our research before the conference and holidays in order to provide administrators time to re-configure their Cisco configuration."

Tony Hoyle

@larma
That's not even an excuse. So you chose to favour one vendor, and left the rest of the world in the shit.. for internet points?

Enjoy your 30 seconds of fame.
@jwildeboer

Jan Wildeboer 😷:krulorange:

@larma @tony Only mentions Cisco, so shows me they weren’t aware of the wider impact and the coding needed for at least 3 widely used MTAs.

Marvin W

@jwildeboer @tony well, another quote from their website is:
> "After testing some popular e-mail software in their default configuration, it turned out that Postfix and Sendmail fulfil the requirements, are affected and can be smuggled to. Speaking globally, this is a lot"
So yes, they were aware of the impact.

Momo

@jwildeboer
My mail log is already full of scans and spammer trying to push mails. I'm intended to watch the stream just to see those people get roasted by the community. I have stronger words for them and won't use them here because they will get me in legal trouble. But boy, am I angry.
@selea

Go Up