Описание
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports . but some other popular e-mail servers do not. To prevent attack variants (by always disallowing without ), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
A flaw was found in some SMTP server configurations in Postfix. This flaw allows a remote attacker to break out email message data to "smuggle" SMTP commands and send spoofed emails that pass SPF checks.
Out of the box, Postfix targets to accommodate older clients with faulty SMTP implementations due to which restrictions are not enforced in the default configuration. Appropriate mitigation strategies are mentioned in the appropriate section below.
Отчет
The impact is considered Moderate likely due to certain conditions required for successful exploitation, such as specific server configurations.
Меры по смягчению последствий
This flaw can be PARTIALLY mitigated via the following options in the main.cf: smtpd_data_restrictions = reject_unauth_pipelining smtpd_discard_ehlo_keywords = chunking, silent-discard Please note this only blocks the misuse of SMTP command pipelining, but does not address message pipelining nor malformed line endings. The only fix for these issues are via package updates.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | postfix | Out of support scope | ||
| Red Hat Enterprise Linux 7 | postfix | Out of support scope | ||
| Red Hat Enterprise Linux 8 | postfix | Fix deferred | ||
| Red Hat Enterprise Linux 9 | postfix | Fixed | RHSA-2024:9243 | 12.11.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
Postfix through 3.8.5 allows SMTP smuggling unless configured with smt ...
EPSS
5.3 Medium
CVSS3