Bug 2255869 (CVE-2023-51765) - CVE-2023-51765 sendmail: SMTP smuggling vulnerability
Summary: CVE-2023-51765 sendmail: SMTP smuggling vulnerability
Status: NEW
Alias: CVE-2023-51765
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2255870
Blocks: 2255562
TreeView+ depends on / blocked
Reported: 2023-12-25 22:05 UTC by Robb Gatica
Modified: 2024-06-18 02:20 UTC (History)
1 user (show)

Fixed In Version: sendmail
Doc Type: ---
Doc Text:
A flaw was found in some SMTP server configurations in Sendmail. This issue may allow a remote attacker to break out of the email message data to "smuggle" SMTP commands and send spoofed emails that pass SPF checks.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Robb Gatica 2023-12-25 22:05:17 UTC
By exploiting interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed e-mails - hence SMTP smuggling - while still passing SPF alignment checks. During this research, two types of SMTP smuggling, outbound and inbound, were discovered. These allowed sending spoofed e-mails from millions of domains (e.g., admin[@]outlook.com) to millions of receiving SMTP servers (e.g., Amazon, PayPal, eBay). Identified vulnerabilities in Microsoft and GMX were quickly fixed, however, SEC Consult urges companies using the also affected Cisco Secure Email product to manually update their vulnerable default configuration. 


Comment 1 Robb Gatica 2023-12-25 22:05:47 UTC
Created sendmail tracking bugs for this issue:

Affects: fedora-all [bug 2255870]

Comment 3 Sandipan Roy 2024-01-04 11:08:07 UTC
The Sendmail vulnerability allowing SMTP smuggling is deemed moderate due to its impact on SPF protection mechanisms and specific conditions for successful exploitation. SMTP smuggling involves manipulating the communication between mail servers to inject unauthorized messages. Exploiting this flaw involves a technique where remote attackers inject email messages with a spoofed MAIL FROM address. This manipulation allows them to bypass SPF protections because Sendmail supports the <LF>.<CR><LF> sequence, which some other popular email servers do not.

CVSSv3:  5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Note You need to log in before you can comment on or make changes to this bug.