«SMTP Smuggling» is a vulnerability that allows to circumvent some mail checks at the receiver and therefore will allow additional spam and/or phishing messages through. Here is the list of what we currently know.
Interested in the full story? I have written a German 🇩🇪 article on SMTP Smuggling and SEC Consult’s selective (and untimely) disclosure.
The SEC Consult article contains information about the software they tested. However, the information is largely unstructured. Here is an attempt at structuring the information.
A link is provided when information not in the SEC Consult article is referenced. For all the question marks, I actively tried to find information on their web page (typically, the “blog” page, if any) and/or using a web search for their site («site:example.com "SMTP Smuggling"»). The question mark indicates that this process did not reveal any additional information.
The list is sortable, BTW.
| System | Problem | SEC Consult knew | Informed | Workaround | Fixed |
|---|---|---|---|---|---|
| Outlook, Exchange | Sender | ✅ | 2023-07-26 | ➡️ | 2023-10-16 |
| Cisco | Recipient | ✅ | 2023-07-27, 2023-08-17 | ✅ | WONTFIX |
| GMX/Ionos | Sender | ✅ | 2023-07-29 | ➡️ | 2023-08-10 |
| iCloud | Sender | ✅ | — | ❓ | ❓ |
| Postfix | Sender, Recipient | ✅ | CERT/CC (see below) | 2023-12-20 | 2023-12-24 |
| Sendmail | Sender, Recipient | ✅ | — | ❓ | ❓ |
| Startmail | Sender | ✅ | — | ❓ | ❓ |
| Fastmail | Sender, Recipient | ✅ | — | ❓ | ❓ |
| Runbox | Sender, Recipient | ✅ | — | ❓ | ❓ |
| Zohomail | Sender | ✅ | — | ❓ | ❓ |
| Exim | Recipient | ❌ | — | ➡️ | 2023-12-24 |
Update 2023-12-26
In the night of December 22nd to 23rd (European time), Tim Weber started a discussion on the Postfix-Users maling list, with quick and active participation by Wietse Venema (author of the Postfix mail transport software), Vijay S Sarvepalli (from CERT/CC) and others. Here my attempt at a structured summary:
- Based on the information presented by SEC Consult, CERT/CC did not get the impression, «a) the way the attack works, b) the potential impact of spoofing SPF/DMARC, and above all c) that one might need to combine several different software products to perform the exploit» was communicated explicitly enough.
- Postfix developers were informed by CERT/CC-Team by email (no detailed date given).
- Postfix developers were «at no point […] made aware that there was a successful SPF spoofing attack that required the combination of TWO email services with SPECIFIC DIFFERENCES in the way they handle line endings other than <CR><LF>».
- Additionally, there it is to be expected that SMTP Smuggling might be a problem beyond the platforms named, and maybe even able to circumvent the generally stronger DKIM signature protection in certain setups or products, among other things.
A possible interpretation of this discussion might be that SEC Consult became aware of the full impact of the vulnerability only later (maybe as part of the preparations for the talk on 2023-12-27?). Even though, informing vendors, providers, and CERT/CC with more information (possibly a draft of the blog post) at short notice would have been significantly better than what we have no, namely no notice.
Wietse Venema proposes that, «now that the attack is public, I do encourage reaching out to the rest of the world» and making everyone aware as quickly and prominently as possible. Also, the CERT/CC hopes, it will be able to further improve its workflows with multi-vendor vulnerabilities and Open Source projects.
