search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple SMTP services are susceptible to spoofing attacks due to insufficient enforcement

Vulnerability Note VU#244112

Original Release Date: 2024-07-30 | Last Revised: 2024-08-06

Overview

Multiple hosted, outbound SMTP servers are vulnerable to email impersonation. This allows authenticated users and certain trusted networks to send emails containing spoofed sender information. Two vulnerabilities were identified that reduce the authentication and verification of the sender, provided by the combination of Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM). Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM, adding linkage to the author (FROM:) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders to improve and monitor protection of the domain from fraudulent email (DMARC.org). An authenticated remote attacker can spoof the identity of a sender when sending emails using a hosted service provider.

Description

As identified in RFC 5321 #7.1, the SMTP protocol is inherently insecure and susceptible to spoofing the sender identity that is present in the various parts of the SMTP transaction. Various facilities, such as SPF and DKIM, continued to evolve to address these issues. SPF records identify the IP networks that are allowed to send email on behalf of a domain. Receiving servers can check SPF records to verify that incoming messages that appear to be from an organization are sent by permitted (allowed) networks. DKIM goes further in email security by providing a digital signature that verifies specific portions of the SMTP-relayed message, allowing to digitally assert specific information that is part of a message such as the FROM: address, subject, and date fields. While SPF verifies the network source of an email transaction, DKIM looks into an email message to prevent message tampering. DMARC is an email authentication, policy, and reporting protocol that builds on the widely deployed SPF and DKIM protocols. As a useful combination of these two capabilities, DMARC helps both email senders and receivers work together to better secure emails, protecting users and brands from costly abuse.

A set of vulnerabilities were discovered by researchers in the practical usage of these capabilities exposing the potential abuse of sender trust in email communications. Many of the hosted, email services provide hosting for multiple domains and use a wide range of network resources to deliver emails from their domain addresses. The hosting service providers typically provide a way to authenticate before allowing emails to be sent on behalf of the sender. However, due to the nature of their shared hosting, many of them do not verify the authenticated sender against their allowed domain identities. Hosting providers who have published SPF records, and, in some cases, also add DKIM signatures, do not sufficiently verify the trust relationship of authenticated user against the allowed domains. This allows an authenticated attacker to spoof an identity in the email Message Header to send emails as anyone in the hosted domains of the hosting provider, while authenticated as a user of a different domain name.

Any remote email receiving services may incorrectly identify the sender’s identity as it passes the cursory check of DMARC policy adherence. The DMARC policy is thus circumvented, allowing spoofed messages to be seen as an attested and a valid message.

CVE-2024-7208 A vulnerability in multi-tenant hosting allows an authenticated sender to spoof the identity of a shared, hosted domain, thus bypass security measures provided by DMARC (or SPF or DKIM) policies.

CVE-2024-7209 A vulnerability exists in the use of shared SPF records in multi-tenant hosting providers, allowing attackers to use network authorization to be abused to spoof the email identify of the sender.

Impact

An authenticated attacker using network or SMTP authentication can spoof the identity of a shared hosting facility, circumventing any DMARC policy and sender verification provided by a domain name owner.

Solution

Hosting providers

Domain hosting providers that provide email relay should verify the identity of an authenticated sender against authorized domain identities. The email service providers should use reliable ways to verify that the network sender identity (MAIL FROM) and the Message Header (FROM:) are the same or related. As much as SMTP software does not verify the Message Header with the network sender, identity mail filter software, such as (Milter) Milterfrom, may provide ways to enforce such requirements.

Domain owners

Domain owners should use strict measures to ensure their domain, DNS-based DMARC policy (DKIM and SPF) protects their sender identity and their users and brands from abuse caused by spoofing. If a domain is expected to provide high assurance of identity, the domain owner should use their own DKIM facility, independent of the hosting provider, to reduce the risk of spoofing attacks.

Email Senders

Email senders that require high fidelity of their identity can use facilities such as S/MIME and PGP, as suggested in RFC 5321 #7.1.

Acknowledgements

Thanks to the reporters, Caleb Sargent and Hao Wang, for raising awareness of these vulnerabilities. This document was written by Dr. Elke Drennan, Vijay Sarvepalli, and Timur Snoke.

Vendor Information

244112
 

Bird Affected

Notified:  2024-06-10 Updated: 2024-07-30

Statement Date:   July 15, 2024

CVE-2024-7208 Not Affected
CVE-2024-7209 Affected

Vendor Statement

We are pleased to report that we have implemented a fix for Case VU#244112.3, which currently mitigates the issue. We are unable to verify the fix via Cisco Secure Email Gateway, however, we are confident that the current implementation resolves this for both Fastmail and CSEG.

Also, a big thanks to the CERT team and the reporters for responsibly bringing this to our attention.

Regards Bird Security

NetWin Affected

Notified:  2024-05-31 Updated: 2024-07-30

Statement Date:   June 21, 2024

CVE-2024-7208 Affected
CVE-2024-7209 Affected
Vendor Statement:
To enforce a match between return path and authenticated sender please use the setting g_from_exact "true".
References:

Vendor Statement

SurgeMail typically will not verify that From/Return path headers match. If you are using SurgeMail as a gateway for multiple domains then it would be wise to enforce matching via settings, specifically g_from_relay "true"

For updates and other relevant settings see: https://surgemail.com/knowledge-base/from-return-path-spoofing/

Cisco Not Affected

Notified:  2024-05-31 Updated: 2024-07-30

Statement Date:   June 24, 2024

CVE-2024-7208 Not Affected
CVE-2024-7209 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Postfix Not Affected

Notified:  2024-05-31 Updated: 2024-07-30

Statement Date:   June 23, 2024

CVE-2024-7208 Not Affected
CVE-2024-7209 Unknown

Vendor Statement

By default, Postfix versions >= 3.9.0, 3.8.5, 3.7.10, 3.6.14, 3.5.24 and later replace "stray" <CR> and <LF> with <SPACE>, so that Postfix cannot be used for outbound SMTP smuggling. See https://www.postfix.org/postconf.5.html#cleanup_replace_stray_cr_lf

Sendmail Consortium Not Affected

Notified:  2024-05-31 Updated: 2024-07-30

Statement Date:   June 21, 2024

CVE-2024-7208 Not Affected
CVE-2024-7209 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Siemens Not Affected

Notified:  2024-05-31 Updated: 2024-07-30

Statement Date:   June 24, 2024

CVE-2024-7208 Not Affected
CVE-2024-7209 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Symantec Not Affected

Notified:  2024-05-31 Updated: 2024-08-06

Statement Date:   August 05, 2024

CVE-2024-7208 Not Affected
CVE-2024-7209 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Brevo Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The reporter has identified specific issues with this vendor but we have not been able to get the vendor to identify their disposition in this vulnerability coordination effort.

FastMail Unknown

Notified:  2024-06-10 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The reporter has identified specific issues with this vendor but we have not been able to get the vendor to identify their disposition in this vulnerability coordination effort.

GoDaddy Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The reporter has identified specific issues with this vendor but we have not been able to get the vendor to identify their disposition in this vulnerability coordination effort.

Mailgun Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The reporter has identified specific issues with this vendor but we have not been able to get the vendor to identify their disposition in this vulnerability coordination effort.

Mailtrap by Railsware Unknown

Notified:  2024-06-03 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The reporter has identified specific issues with this vendor but we have not been able to get the vendor to identify their disposition in this vulnerability coordination effort.

Twilio SendGrid Unknown

Notified:  2024-06-06 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

The reporter has identified specific issues with this vendor but we have not been able to get the vendor to identify their disposition in this vulnerability coordination effort.

Allworx Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Axigen Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Barracuda Networks Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

BlueMail Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

CommuniGate Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

ESET LLC. Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Exim Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

GMX Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

HostGator Unknown

Notified:  2024-05-28 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

IceWarp Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

iCloud Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

IncrediMail Ltd. Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

IONOS Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Kerio Technologies Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

mail2web.com Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

MailEnable Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Mailman Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

MailTraq Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

MessageBird Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Microsoft Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

NEO Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Netmail Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

NGINX Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenSMTPD Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

PHP FormMail Generator Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Proofpoint Unknown

Notified:  2024-07-30 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Proton Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Qmail-TLS Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

RaidenMAILD Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sendmail Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sinch Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Spam Titan Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sprint (VMAIL) Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Titan Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Tutanota Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Web.de Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

XMail Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Yahoo Inc. Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

Zoho Unknown

Notified:  2024-05-31 Updated: 2024-07-30

CVE-2024-7208 Unknown
CVE-2024-7209 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 53 vendors View less vendors


Other Information

CVE IDs: CVE-2024-7208 CVE-2024-7209
API URL: VINCE JSON | CSAF
Date Public: 2024-07-30
Date First Published: 2024-07-30
Date Last Updated: 2024-08-06 17:33 UTC
Document Revision: 8

Sponsored by CISA.