When emails flow through the Internet today, the Simple Mail Transport Protocol (SMTP) is almost certainly involved. The majority of email clients and servers use it to deliver messages, whether to local or remote recipients. Servers responsible for transport use it among themselves. The protocol is ancient and many of today’s annoying email problems, from spam to phishing, can be traced back to the fact that it has never been fundamentally revised.
Advertisement
It is all the more surprising that it was only in June that researchers from SEC Consult discovered another unpleasant feature: With slightly different input data, they were able to spoof email senders and, for example, pretend to be an admin to users. This wouldn’t be news if the feature called “SMTP smuggling” by the discoverers wasn’t able to surprise all the methods devised for security. SPF, DKIM and DMARC, which are supposed to detect such things with declarations of intent, signatures and header checks, fail under “ideal” circumstances.
The attacks were based on implementation weaknesses in web servers: They managed to foist additional requests on backend servers by submitting them as free riders with an inconspicuous request to the frontend. The security researchers at SEC Consult found that something similar also happens in the SMTP dialogue between servers because they treat a signature agreed upon at the end of the data part of an email differently (a line that only contains a period). This allowed them to attach a second message with fake sender addresses to an unsuspicious message.
Classified as genuine because from the same server
The researchers used these findings to examine the behavior of the servers of many large email providers. They found it too Variations that can be used to exploit the weakness: It depends on the line endings used, for example only linefeed characters, combinations with carriage return or interspersed null characters. However, since the fake email comes from the respective server itself, the techniques actually invented to combat counterfeiting, such as SPF, DKIM and DMARC, may even confirm their supposed authenticity.
As part of a responsible disclosure, SEC Consult researchers shared their discovery with Microsoft, Cisco and GMX at the end of July. GMX responded around two weeks later and fixed the problem on its servers. It took Microsoft more than two months to close the possibility of manipulation on Exchange Online (Hotmail etc.). According to security researchers, the Cisco Secure Email Gateway, which is widely used, can only be hardened against smuggling attacks through manual intervention.
Due to a misunderstanding in the coordination with the CERT Coordination Center (CERT/CC), SEC Consult reports, independent projects such as Postfix were taken by surprise by disclosing the discovery in the blog shortly before Christmas. In the meantime, there are tips there that mail server operators can implement. The explorer took advantage of this year’s Chaos Communication Congress (37C3) to… apologize to the Postfix maintainers and explain his discovery.
The mail server has Postfix Information about a workaround and patches.
(tiw)