Software Engineering Institute

Overview

A vulnerability has been found in the way that SMTP servers and software handle the end-of-data sequences (essentially the end of a single email message) in mail messages. An attacker can use this inconsistency to craft an email message that can bypass SMTP security policies.

Description

SMTP protocol (refer RFC 5321 and 5322), is an Internet based protocol for e-mail transmission and exchange. The SMTP protocol is used by multiple servers to relay emails as the email is exchanged between a sender and a recipient. This handover of emails allows for a complex number of next-hop servers to interact and exchange emails before its delivery to the intended recipient. A priority based Mail eXchange (MX) record also allows for emails to delivered to alternate servers or partner gateways to spool and deliver in cases of outages. In order prevent fraudulent emails, email software and services authenticate a user and employ security policies such DMARC, essentially a combination of SPF and DKIM, to certify an email's origination as it traverse these various services.

Security researcher Timo Longin at SEC Consult discovered that the email software deployed across numerous SMTP servers treats the end-of-data sequence inconsistently. An attacker can exploit this inconsistency by crafting an email message that deviates from the standard end-of-data sequence, causing confusion as the message is transferred to its next hop. Any email server within the route of SMTP Gateways processing this manipulated message may interpret the submitted data as multiple messages, then process and relay them forward. Postfix software developer Wietse Venema explained:

The attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than CR LF

SEC-Consult researchers have labeled this vulnerability as "SMTP Smuggling" to discuss this problem that involves multiple stakeholders such as email service providers, email software vendors, email security product vendors and others that process and handle emails.

VU#302671 An improper end-of-data sequence handling vulnerability in email software or services or appliances allow attackers to inject arbitrary email message that can bypass security policies.

An Openwall community discussion also lead to the reservation of the following CVE numbers

Impact

An attacker with access to an SMTP service can craft an email with improper end-of-data sequencing to submit two or more email messages that can be used to bypass security policy. When the attack is successful, the attacker can impersonate any sender in any domain that is hosted at the originating mail service. The attacker is then capable of avoiding In-place email handling policies, since email security scanners and gateways that analyze the message will fall prey to the improper sequencing of the message. A successful attack enables the attacker to impersonate any sender in any domain that is hosted at the originating mail service.

Solution

Email Service Providers and Administrators

Please ensure your email software is up to date and you have applied the right workaround and/or patches provided by your software vendor. Check the Vendor Information section for instructions and links to the either respective advisories. If you use Email Security Appliances or managed Email Gateways ensure their software is both up to date and is configured best to mitigate these attacks and reduce the risk of improper message relay to other SMTP servers. Ensure any email backup MX records and services that may be hosted by partners are also protected from misuse or abuse. Email service providers are also urged to ensure that the email sender verification and header verifications are performed on every email to ensure identity of the authenticated sender is properly represented in the submitted emails.

Email end users

As email sender verification continues to be a challenge in the Internet, email users are urged to continue their precaution when replying to emails to provide sensitive information or when clicking on links that can download or install malicious software.

Additionational Resources

SEC-Consult have provided both software and a website to support analysis of the various service providers and software vendors to ensure their software and services can be verified against these attacks.

Acknowledgements

Thanks to the reporter Timo Longin from SEC Consult. This document was written by Timur Snoke and Vijay Sarvepalli

Vendor Information

References

• https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
• https://www.postfix.org/smtp-smuggling.html
• https://github.com/The-Login/SMTP-Smuggling-Tools
• https://learn.microsoft.com/en-us/archive/blogs/tzink/what-do-we-mean-when-we-refer-to-the-sender-of-an-email
• https://www.smtpsmuggling.com