SFOS and SG UTM affected by SMTP/EXIM CVE-2023-51766?

Question

Hi, 
 are SOFS and SG UTM affected by CVE-2023-51766 (Sender Spoofing by SMTP)?

bobbylam · Accepted Answer

Sure if you can share the logs and a sample smuggled email, that would be helpful. If you can share your exim.conf file that would be even better. 
 We tested & reproduced the smtp smuggling vulnerability, and confirmed on both SFOS & UTM with default configuration (chunking disabled) they're safe.

Dániel Lengyel · Answer

Hi Seth! Daniel here, an engineer from the email team at Sophos. 
 Based on the information provided I can't confirm that you induced SMTP smuggling. You say the following: 
 "if valid SPF exists it can impact the smuggling of the emails, however, if you were to disable SPF for the originating sender IP it should then process fine." 
 The point of the exploit as explained in the CCC webinar is that the smuggled emails bypass the SPF check because it only checks the first email. In your case, SPF checks run for every domain and as you say, block them. 
 Another thing that can cause confusion is softfail: SPF checks can result in softfail if the SPF record is created with "~all" instead of "-all". SFOS doesn't block this result, so it can seem as if the SPF check didn't work or smuggling was successful. 
 
 Nevertheless, I would be happy to investigate further if you provide me with an access ID and logs of the issue happening. If SMTP and exim debug logs are enabled it will be quite easy to see if the exploit worked or not.

Vishal_R · Answer

Hi wlogic & FFin The development review related to CVE 2023-51766 is completed for XG and UTM both OSes and below is the update from the Dev team. 
 Although both systems use the affected Exim version 4.96, this vulnerability does not affect them. This is because CHUNKING is disabled by default on XG and UTM. Please refer to this URL for more info - github.com/.../cve-2023-51766

Dániel Lengyel · Answer

Hi Seth! 
 Here's how you can help: 
 
 Give me an access ID to your system like so: https://doc.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Diagnostics/ConnectionList/SupportAccess/index.html This is just so I can check out your configuration. (You might not be able to do this. In that case, you could send me screenshots of the Policies & exceptions section of your SFOS Email page, as well all the policies and exceptions you have configured.) 
 Run another test and collect debug logs. You can do this like so: 
 
 Get everything set so all you have to do is send the email. 
 In the admin console, write the following commands:
 
 service -ds nosync smtpd:debug 
 service -ds nosync smtpd:exim_debug

Attempt to send the smuggled mail. 
 Run the same commands as before so your logs won't continue to fill with debug lines. 
 Send over smtpd_main.log found in /log

You can send everything over in a private message. 
 Also: please remember to turn on SPF for testing. If the smuggled mail can't bypass SPF, then it isn't a case of SMTP smuggling.

SFOS and SG UTM affected by SMTP/EXIM CVE-2023-51766?

Top Replies