We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-51764



Description

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Reserved 2023-12-24 | Published 2023-12-24 | Updated 2024-08-02 | Assigner mitre

References

www.postfix.org/smtp-smuggling.html

sec-consult.com/...mtp-smuggling-spoofing-e-mails-worldwide/

www.openwall.com/lists/oss-security/2023/12/24/1 ([oss-security] 20231224 Re: Re: New SMTP smuggling attack) mailing-list

www.openwall.com/lists/oss-security/2023/12/25/1 ([oss-security] 20231225 Re: Re: New SMTP smuggling attack) mailing-list

bugzilla.redhat.com/show_bug.cgi?id=2255563

access.redhat.com/security/cve/CVE-2023-51764

fahrplan.events.ccc.de/...ss/2023/fahrplan/events/11782.html

github.com/eeenvik1/CVE-2023-51764

github.com/duy-31/CVE-2023-51764

www.youtube.com/watch?v=V8KPV96g1To

lists.fedoraproject.org/...QRLF5SOS7TP5N7FQSEK2NFNB44ISVTZC/ (FEDORA-2024-c839e7294f) vendor-advisory

lists.fedoraproject.org/...JQ5WXFCW2N6G2PH3JXDTYW5PH5EBQEGO/ (FEDORA-2024-5c186175f2) vendor-advisory

lwn.net/Articles/956533/

www.openwall.com/lists/oss-security/2024/01/22/1

www.postfix.org/announcements/postfix-3.8.5.html

lists.debian.org/debian-lts-announce/2024/01/msg00020.html ([debian-lts-announce] 20240130 [SECURITY] [DLA 3725-1] postfix security update) mailing-list

www.openwall.com/lists/oss-security/2024/05/09/3 ([oss-security] 20240508 Re: New SMTP smuggling attack) mailing-list

cve.org (CVE-2023-51764)

nvd.nist.gov (CVE-2023-51764)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2023-51764

Support options

Helpdesk Chat, Email, Knowledgebase