oss-sec mailing list archives
Re: CVE-2023-51766: Exim: SMTP smuggling
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 1 Jan 2024 18:00:11 -0500
On Mon, Jan 1, 2024 at 2:06 PM Demi Marie Obenour <demi () invisiblethingslab com> wrote:
On Mon, Jan 01, 2024 at 04:10:46PM +0000, halfdog wrote:Solar Designer writes:Hi, Exim was also susceptible to SMTP smuggling, and version 4.97.1 is now released to address this. Included below is doc/doc-txt/cve-2023-51766 from the exim-4.97.1 branch (with erroneous Date: line omitted). --- CVE ID: CVE-2023-51766 Credits: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mai ls-worldwide/ Version(s): all up to 4.97 inclusive Issue: Given a buggy relay, Exim can be induced to accept a second messa ge embedded as part of the body of a first message Conditions ========== If *all* the following conditions are met Runtime options --------------- * Exim offers PIPELINING on incoming connections * Exim offers CHUNKING on incoming connections Operation --------- * DATA (as opposed to BDAT) is used for a message reception * The relay host sends to the Exim MTA message data including one of "LF . LF" or "CR LF . LF" or "LF . CR LF".Interesting, that also LF . LF is causing the effect. As there might be some aggressive mail server testing for that issue in near future anyway, could it be, that this was exactly the issue affecting Debian mailing lists at least 2018-2023? If not so, and there is a second bug, the increased testing and also public bug report from below will give them some interesting times ahead anyway. But if so, any automated mailing list forwarding might be quite likely (due to trigger probabilities) to have left truncated and non-truncated messages online, so that finding those pairs automatically, e.g. using more unique text parts from list A messages to search for messages on any other list B and check, if one of them seems truncated. Here are some message examples from 2018 showing the trunction: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849754#60 https://lists.debian.org/debian-mentors/2018/01/msg00331.html Then there was also a public bug report on those https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922652 or the ones from below.I think the only reasonable thing for an SMTP server to do is to reject all LFs and CRs in DATA that are not part of a proper CRLF outright.
+1. Postel's Law strikes again. Jeff
Current thread:
- Re: CVE-2023-51766: Exim: SMTP smuggling halfdog (Jan 01)
- Re: CVE-2023-51766: Exim: SMTP smuggling Demi Marie Obenour (Jan 01)
- Re: CVE-2023-51766: Exim: SMTP smuggling Jeffrey Walton (Jan 01)
- Re: CVE-2023-51766: Exim: SMTP smuggling Demi Marie Obenour (Jan 01)