Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS and SG UTM affected by SMTP/EXIM CVE-2023-51766?

Hi, 

are SOFS and SG UTM affected by CVE-2023-51766 (Sender Spoofing by SMTP)?



This thread was automatically locked due to age.
  • Hello,

    As mentioned if you want this to be investigated further, please submit the original logs along with your exim.conf file.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Home user - waiting on support account to be registered. before providing logs.

  • Hi,

    you won't get a support account created as a home user. You might be able to send them to Emmanuel to forward to the support team.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Eh - gave up mucking about with raising a support ticket... have emailed security-alert@sophos.com (as per security.txt) - it'll either be fixed, or ignored. So we'll see in 87(90-3) days...

  • Thank you for the details Seth, I'll get our engineering team to look into this further. 

  • Regardless of the investigation of Sophos (DEV) i took a look at your code  . 
    My SFOS appliances does block the second email with SPF sent by the CVE code. 
    What did you use as a Spoof Email? Because my Email has a valid SPF Record first and then the second (spoof) email is a SPF Hardfail Email - Which gets blocked. 

    I could see individual SPF checks for each mail based on the Email CVE script. 

    What kind of examples did you use Seth?

    __________________________________________________________________________________________________________________

  • I submitted this through sophos support (ticket 07155188) on 20th of december, asked for a status on 22/28th of december, it was forwarded like 10 times and I escalated it eventually as I only got answers with no actual response and still is was only picked up on the 5th of Januari.

    I understand that there was a holiday period, but this shouldn't matter for a security product. I found the support VERY lacking, we pay quite a lot for support with about ~10 UTM's with even some SG650's at one of our customers site.

  • So key point in this discussion is, most of the information was published around the holiday week. You can see this in the Github repos as well. Most were updated around 29. of december. 

    __________________________________________________________________________________________________________________

  • Hey LuCar

    if valid SPF exists it can impact the smuggling of the emails, however, if you were to disable SPF for the originating sender IP it should then process fine.

    for the main email I picked an external domain at random that didn't have SPF records, for the smuggled emails I used my own domains where SPF, DKIM and DMARC were configured and enforced. so disabling SPF for the originating IP resulted in all emails being smuggled.

    From what I saw, DKIM and DMARC were ignored for the smuggled emails, and SPF checks were executed, and failed as the external IP was not permitted to send email.

    hope that helps.

  • Can you include the ticket numbers here, or go back to Sophos and update your ticket with the link to this discussion?