Postfix: SMTP smuggling vulnerability (CVE-2023-51764) – CVE-2023-51764)

Advisory No: TZCERT/SA/2023/01/08

Date of First Release: 8^th January 2024

Source: SMTP servers

Software Affected: POSTFIX in SMTP

Overview:

The vulnerability exists because a flaw was found in some SMTP server configurations in Postfix. This issue may allow a remote attacker to break out of the email message data to “smuggle” SMTP commands and send spoofed emails that pass SPF checks.

Description:

By exploiting interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed e-mails – hence SMTP smuggling – while still passing SPF alignment checks.

Through exploiting variations in the interpretation of the SMTP protocol, it becomes feasible to transmit or send spoofed e-mails, a phenomenon known as SMTP smuggling, while still passing SPF alignment checks.

During this research, two types of SMTP smuggling, outbound and inbound, were discovered. These allowed sending spoofed e-mails from millions of domains (e.g., admin[@]outlook.com) to millions of receiving SMTP servers.

Impact:

Successful exploitation of this vulnerability may allow a remote attacker to break out of the email message data to “smuggle” SMTP commands and send spoofed emails that pass SPF checks.

Solution:

A workaround for this vulnerability has been released. Users and administrators are encouraged to apply necessary updates.

Workaround: https://bugzilla.redhat.com/show_bug.cgi?id=2255563

References:

1. https://www.postfix.org/smtp-smuggling.html
2. https://bugzilla.redhat.com/show_bug.cgi?id=2255563
3. https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html