THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2023-51764

Assigner:mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca)
Reserved:2023-12-24
Published:2023-12-24
Updated:2024-06-10

Description

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

References

https://www.postfix.org/smtp-smuggling.html

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

http://www.openwall.com/lists/oss-security/2023/12/24/1 ([oss-security] 20231224 Re: Re: New SMTP smuggling attack) mailing-list

http://www.openwall.com/lists/oss-security/2023/12/25/1 ([oss-security] 20231225 Re: Re: New SMTP smuggling attack) mailing-list

https://bugzilla.redhat.com/show_bug.cgi?id=2255563

https://access.redhat.com/security/cve/CVE-2023-51764

https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11782.html

https://github.com/eeenvik1/CVE-2023-51764

https://github.com/duy-31/CVE-2023-51764

https://www.youtube.com/watch?v=V8KPV96g1To

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRLF5SOS7TP5N7FQSEK2NFNB44ISVTZC/ (FEDORA-2024-c839e7294f) vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/ (FEDORA-2024-5c186175f2) vendor-advisory

https://lwn.net/Articles/956533/

https://www.openwall.com/lists/oss-security/2024/01/22/1

https://www.postfix.org/announcements/postfix-3.8.5.html

https://lists.debian.org/debian-lts-announce/2024/01/msg00020.html ([debian-lts-announce] 20240130 [SECURITY] [DLA 3725-1] postfix security update) mailing-list

http://www.openwall.com/lists/oss-security/2024/05/09/3 ([oss-security] 20240508 Re: New SMTP smuggling attack) mailing-list

cve.org CVE-2023-51764

nvd.nist.gov CVE-2023-51764

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-51764