OpenText product name changes coming to the community soon! Learn more.

Wikis - Page

Knowledge Document: Is Secure Messaging Gateway vulnerable to SMTP Smuggling?

1 Likes

Environment

Secure Messaging Gateway 23.3.4

Situation

There are some mail systems allow SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.

Cause

The essence of the vulnerability is that some software inconsistently handled line endings.  When getting a chunked conversation with the DATA section terminated by LF.CRLF  or LF.LF they would not recognize the line ending and would not chunk the message and would not continue to scan and apply any spam or other filters.  An attacker could then “smuggle” a second email through the software, bypassing security, and spam prevention.  Some of those cited are:

Postfix through 3.8.4
Sendmail through 8.14.7
Exim before 4.97.1

Resolution

The February update for SMG 23.3.4  will have the ability to allow people to enable 'anti-smuggling'.  It's off by default, as we are not vulnerable, it's not the fault of SMG that sendmail/postfix/etc is vulnerable, however if a customer would like to make sure that all mail gets delivered, they will be able to enable this option.  

This is in reference to CVE-2023-51765 

Access article on support portal​​​​​​​

Labels:

Support Tips/Knowledge Docs
Comment List
Related
Recommended