Bug 1218304 (CVE-2023-51764)

Summary: VUL-0: CVE-2023-51764: postfix: new SMTP smuggling attack
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Peter Varkoly <varkoly>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bert.stel, boyd.memmott, camila.matos, jochen.roeder, sascha.wessels
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/388986/
See Also: http://www.suse.com/support/kb/doc/?id=000021307
Whiteboard: CVSSv3.1:SUSE:CVE-2023-51764:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2023-12-21 09:48:32 UTC 
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ 

describes a new SMTP smuggling attack, that exploits  "<cr><lf>.<cr><lf>" data end marker inconistent handling on some email servers.

postfix has published a hardening measure that avoids accepting streamed emails.

https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html

As part of a non-responsible disclosure process, SEC Consult has
published an email spoofing attack that involves a composition of
different mail service behaviors with respect to broken line endings.


A short-term fix may deployed now, before the upcoming long holiday:

- Postfix 3.9 (stable release early 2024), rejects unuthorised
  pipelining by default: "smtpd_forbid_unauth_pipelining = yes".

- Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same feature,
  but the "smtpd_forbid_unauth_pipelining" parameter defaults to
  "no".

Setting "smtpd_forbid_unauth_pipelining = yes" may break legitimate
SMTP clients that mis-implement SMTP, but such clients are exceedingly
rare, especially when email is sent across the Internet.

This short-term fix will stop the published form of the attack, but
other forms exist that will not be stopped in this manner.

The longer-term fix stops all forms of the smuggling attacks and is
in testing. For most sites, this fix will be too late for deployment
before a long holiday break, when typically production changes are
not allowed until January.

Timeline:
Dec 18 SEC Consult publishes an attack (composition of mail service behaviors)
Dec 19 Implement fix for Postfix, start testing and Q/A
Dec ?? Publish updated stable Postfix versions 3.8, 3.7, 3.6, 3.5
Dec 23 First day of a 10+ day holiday break and production freeze

References:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

        Wietse
Comment 6 Maintenance Automation 2023-12-28 08:30:01 UTC 
SUSE-SU-2023:4981-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1218304, 1218314
CVE References: CVE-2023-51764
Sources used:
openSUSE Leap 15.5 (src): postfix-bdb-3.7.3-150500.3.11.1, postfix-3.7.3-150500.3.11.1
Basesystem Module 15-SP5 (src): postfix-3.7.3-150500.3.11.1
Legacy Module 15-SP5 (src): postfix-bdb-3.7.3-150500.3.11.1
Server Applications Module 15-SP5 (src): postfix-3.7.3-150500.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 OBSbugzilla Bot 2023-12-28 09:35:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1218304) was mentioned in
https://build.opensuse.org/request/show/1135431 Factory / postfix
Comment 8 Maintenance Automation 2024-01-02 16:30:02 UTC 
SUSE-SU-2024:0012-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1218304, 1218314
CVE References: CVE-2023-51764
Sources used:
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
SUSE Manager Proxy 4.3 (src): postfix-3.5.9-150300.5.15.1
SUSE Manager Retail Branch Server 4.3 (src): postfix-3.5.9-150300.5.15.1
SUSE Manager Server 4.3 (src): postfix-3.5.9-150300.5.15.1
SUSE Enterprise Storage 7.1 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
openSUSE Leap 15.3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
openSUSE Leap 15.4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
Basesystem Module 15-SP4 (src): postfix-3.5.9-150300.5.15.1
Legacy Module 15-SP4 (src): postfix-bdb-3.5.9-150300.5.15.1
Server Applications Module 15-SP4 (src): postfix-3.5.9-150300.5.15.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
SUSE Linux Enterprise Real Time 15 SP4 (src): postfix-3.5.9-150300.5.15.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): postfix-3.5.9-150300.5.15.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postfix-bdb-3.5.9-150300.5.15.1, postfix-3.5.9-150300.5.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 OBSbugzilla Bot 2024-01-18 11:35:09 UTC 
This is an autogenerated message for OBS integration:
This bug (1218304) was mentioned in
https://build.opensuse.org/request/show/1139680 Factory / postfix
Comment 10 OBSbugzilla Bot 2024-01-19 09:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1218304) was mentioned in
https://build.opensuse.org/request/show/1139868 Factory / postfix
Comment 11 Marcus Meissner 2024-03-18 07:50:29 UTC 
still needed for SUSE:SLE-12-SP3:Update postfix for SLES 12 SP5.
Comment 14 Maintenance Automation 2024-04-08 12:30:34 UTC 
SUSE-SU-2024:1149-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1218304, 1218314
CVE References: CVE-2023-51764
Maintenance Incident: [SUSE:Maintenance:33003](https://smelt.suse.de/incident/33003/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 postfix-3.2.10-3.30.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 postfix-3.2.10-3.30.1
SUSE Linux Enterprise Server 12 SP5 (src):
 postfix-3.2.10-3.30.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 postfix-3.2.10-3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.