SMTP Smuggling

Posted on Sat 23 December 2023 in Security

On 2023-12-18, the SEC Consult team published a security issue affecting many SMTP implementations. The problem results in some attack vectors bypassing important antispam/antispoofing mechanisms. This can cause major problems as mails can be injected into the mail flow that appear to come from a valid trusted source.

It seems that the process of informing software vendors affected by this problem needs to be optimised by SEC Consult. The Postfix team have released some information to inform their userbase and it seems that they are quite upset about the short time before the information about the problem was released.

Even more interesting is that it seems that SEC Consult had already informed other vendors like Microsoft or Cisco in the middle of the year when they first discovered the SMTP smuggling problem.

A lot of people analysed their posts and information, and it looks like they were aware that more implementations were affected by the problem. If they really had this knowledge, why did they not inform the developers or projects like Postfix?

With a talk scheduled at CCC Congress 37C3, I look forward to getting some answers as to why this communication seemed so fucked up.

The IT security world still has some big problems with making responsible disclosure work, if this was done intentionally or they made the problem public before informing the world's most popular mail transfer agent they may not have done their homework on being responsible. But let us see what they have to say and be excellent to each other!

The post from the Postfix team points directly to a problem we still have in OSS, the people behind such projects, even if they are fill time employees, are not always available. Software is still written by humans, and security problems in widely used and complex software are hard to understand and sometimes hard to fix. The team needs time to create, test and deploy a stable, working fix. Distributors, vendors and administrators need time to integrate fixed versions into their systems. This takes time, which is why most people agree to responsible disclosure.

You should check your MTA systems and apply the necessary workarounds or fixes to your system as soon as possible.

Here is a short Python script by hannob that may help to identify affected MTA implementations.

The German Federal Office for Information Security (BSI) has also issued an advisory. You can find the pdf here.

I will try to keep this post updated with a list of testing tools or upcoming information.

Update - 2023-12-31

Now the talk was presented at the 37c3 congress in Berlin and a recording is available here.

Timo Longin presented his work, how he found the problem and tracked it down. More importantly, he explained how the confusion around the notification of OSS projects and vendors happened. To me it looks like he and the team had good intentions to bring all the information to a central point, in this case a CERT, to inform vendors/projects and discuss the problem. Perhaps they should have tried to raise more awareness of the problem through direct communication channels? I don't know. From my own experience, it is very stressful to convince people of problems you have found.

The fact that the group of projects was chosen without the Postfix people is something I can't understand. Postfix is still one of the most widely used MTAs and the CERT should have known that.

The part of the talk where Timo talked about the communication part gave me the impression that he is aware of fixing this for the future, and that is the most important part for me. So please be nice to each other and don't attack the messenger of a problem. Try to hear both sides, but be aware that it is not a good idea to personally attack someone online for their work.