Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2023-51766: Exim: SMTP smuggling
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 1 Jan 2024 18:00:11 -0500
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Mon, Jan 1, 2024 at 2:06 PM Demi Marie Obenour
<demi () invisiblethingslab com> wrote:
On Mon, Jan 01, 2024 at 04:10:46PM +0000, halfdog wrote:
Solar Designer writes:
Hi,
Exim was also susceptible to SMTP smuggling, and version 4.97.1 is now
released to address this. Included below is doc/doc-txt/cve-2023-51766
from the exim-4.97.1 branch (with erroneous Date: line omitted).
---
CVE ID: CVE-2023-51766
Credits: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mai
ls-worldwide/
Version(s): all up to 4.97 inclusive
Issue: Given a buggy relay, Exim can be induced to accept a second messa
ge embedded
as part of the body of a first message
Conditions
==========
If *all* the following conditions are met
Runtime options
---------------
* Exim offers PIPELINING on incoming connections
* Exim offers CHUNKING on incoming connections
Operation
---------
* DATA (as opposed to BDAT) is used for a message reception
* The relay host sends to the Exim MTA message data including
one of "LF . LF" or "CR LF . LF" or "LF . CR LF".
Interesting, that also LF . LF is causing the effect. As there
might be some aggressive mail server testing for that issue in
near future anyway, could it be, that this was exactly the issue
affecting Debian mailing lists at least 2018-2023? If not so,
and there is a second bug, the increased testing and also public
bug report from below will give them some interesting times ahead
anyway.
But if so, any automated mailing list forwarding might be quite
likely (due to trigger probabilities) to have left truncated
and non-truncated messages online, so that finding those pairs
automatically, e.g. using more unique text parts from list A
messages to search for messages on any other list B and check,
if one of them seems truncated.
Here are some message examples from 2018 showing the trunction:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849754#60
https://lists.debian.org/debian-mentors/2018/01/msg00331.html
Then there was also a public bug report on those
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922652
or the ones from below.
I think the only reasonable thing for an SMTP server to do is to reject
all LFs and CRs in DATA that are not part of a proper CRLF outright.
+1.
Postel's Law strikes again.
Jeff
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Re: CVE-2023-51766: Exim: SMTP smuggling halfdog (Jan 01)
Re: CVE-2023-51766: Exim: SMTP smuggling Demi Marie Obenour (Jan 01)
Re: CVE-2023-51766: Exim: SMTP smuggling Jeffrey Walton (Jan 01)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->