Hi,
are SOFS and SG UTM affected by CVE-2023-51766 (Sender Spoofing by SMTP)?
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Hello there,
Thank you for contacting the Sophos Community.
I need to reach out internally to confirm; I will update the post once I hear back or by the end of the day on Tuesday.
Regards,
emmosophos Do you have details for us regarding the Exim vulnerability CVE-2023-51766 and it's impact on the current versions of XG/UTM ?
Sure if you can share the logs and a sample smuggled email, that would be helpful. If you can share your exim.conf file that would be even better.
We tested & reproduced the smtp smuggling vulnerability, and confirmed on both SFOS & UTM with default configuration (chunking disabled) they're safe.
Hello,
Adding to what Bobby mentioned, please open a case with Support, submit the Samples and share the Case ID.
You can find the exim.conf file in the following path # cat /var/storage/chroot-smtp/etc/exim.conf
Regards,
Are you sure, you are not using a Header From Spoof attack, which UTM does not cover?
__________________________________________________________________________________________________________________
I don't think so, this was smuggling
poc payload looks something like this
send: sending "From: test@[valid domain #1]co.nz\r" to { exp4 }
send: sending "To: validrecipient@[valid domain #2].co.nz\r" to { exp4 }
send: sending "Subject: 1st email\r" to { exp4 }
send: sending "\r" to { exp4 }
send: sending "1st email content with many others emails\r" to { exp4 }
send: sending "\r" to { exp4 }
send: sending ".\r" to { exp4 }
send: sending "mail FROM:<spoofedvalidrecipient#1@[invalid domain #1].co.nz>\r" to { exp4 }
send: sending "rcpt TO:<validrecipient#1@[valid domain #2].co.nz>\r" to { exp4 }
send: sending "data\r" to { exp4 }
send: sending "From: spoofedvalidrecipient#1@[invalid domain #1].co.nz\r" to { exp4 }
send: sending "To: validrecipient#1@[valid domain #2].co.nz\r" to { exp4 }
send: sending "Subject: Spoofed email #1\r" to { exp4 }
send: sending "\r" to { exp4 }
send: sending "Content of the #1 spoofed email\r" to { exp4 }
send: sending "\r" to { exp4 }
send: sending ".\r" to { exp4 }
poc code (modified) can be found here CVE-2023-51764.sh
Hello,
As mentioned if you want this to be investigated further, please submit the original logs along with your exim.conf file.
Regards,
Home user - waiting on support account to be registered. before providing logs.
Hi,
you won't get a support account created as a home user. You might be able to send them to Emmanuel to forward to the support team.
Ian
XG115W - v20.0.2 MR-2 - Home
XG on VM 8 - v21 GA
If a post solves your question please use the 'Verify Answer' button.
Eh - gave up mucking about with raising a support ticket... have emailed security-alert@sophos.com (as per security.txt) - it'll either be fixed, or ignored. So we'll see in 87(90-3) days...
Regardless of the investigation of Sophos (DEV) i took a look at your code Seth Bodine .
My SFOS appliances does block the second email with SPF sent by the CVE code.
What did you use as a Spoof Email? Because my Email has a valid SPF Record first and then the second (spoof) email is a SPF Hardfail Email - Which gets blocked.
I could see individual SPF checks for each mail based on the Email CVE script.
What kind of examples did you use Seth?
__________________________________________________________________________________________________________________
Regardless of the investigation of Sophos (DEV) i took a look at your code Seth Bodine .
My SFOS appliances does block the second email with SPF sent by the CVE code.
What did you use as a Spoof Email? Because my Email has a valid SPF Record first and then the second (spoof) email is a SPF Hardfail Email - Which gets blocked.
I could see individual SPF checks for each mail based on the Email CVE script.
What kind of examples did you use Seth?
__________________________________________________________________________________________________________________
Hey LuCar
if valid SPF exists it can impact the smuggling of the emails, however, if you were to disable SPF for the originating sender IP it should then process fine.
for the main email I picked an external domain at random that didn't have SPF records, for the smuggled emails I used my own domains where SPF, DKIM and DMARC were configured and enforced. so disabling SPF for the originating IP resulted in all emails being smuggled.
From what I saw, DKIM and DMARC were ignored for the smuggled emails, and SPF checks were executed, and failed as the external IP was not permitted to send email.
hope that helps.
one correction, I suspect that my UTM may have validated SPF against itself for the smuggled emails - but I didn't dig into this further at the time (apologies fror any confusion).
Could you send me via PM the POC Code you used?
Because as far as i understand you, i should be able to reproduce it with your exact examples: one non existing Email and a SPF record from you.
I was watching the entire CCC webinar and checked for the logic behind this attack and from what i could see, SFOS and UTM did a SPF check for each indiviual Email generated by this PoC code: https://github.com/duy-31/CVE-2023-51764/ So as soon as SFOS / UTM threats those emails individually (and check for SPF) it should not be affected (by my understanding).
__________________________________________________________________________________________________________________
Hi Seth! Daniel here, an engineer from the email team at Sophos.
Based on the information provided I can't confirm that you induced SMTP smuggling. You say the following:
"if valid SPF exists it can impact the smuggling of the emails, however, if you were to disable SPF for the originating sender IP it should then process fine."
The point of the exploit as explained in the CCC webinar is that the smuggled emails bypass the SPF check because it only checks the first email. In your case, SPF checks run for every domain and as you say, block them.
Another thing that can cause confusion is softfail: SPF checks can result in softfail if the SPF record is created with "~all" instead of "-all". SFOS doesn't block this result, so it can seem as if the SPF check didn't work or smuggling was successful.
Nevertheless, I would be happy to investigate further if you provide me with an access ID and logs of the issue happening. If SMTP and exim debug logs are enabled it will be quite easy to see if the exploit worked or not.
Happy to provide further information let me know what log files you need, and any changes to initate debug logs.
Can you share (via PM) your Examples, you used for the PoC Code? So we can reproduce it?
__________________________________________________________________________________________________________________
Hi Seth!
Here's how you can help:
You can send everything over in a private message.
Also: please remember to turn on SPF for testing. If the smuggled mail can't bypass SPF, then it isn't a case of SMTP smuggling.