Bug 1218351 (CVE-2023-51765)

Summary: VUL-0: CVE-2023-51765: sendmail: new SMTP smuggling attack
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bert.stel, boyd.memmott, jochen.roeder, meissner, security-team, varkoly, werner
Version: unspecifiedFlags: werner: needinfo? (meissner)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/389198/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-51765:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2023-12-22 12:04:48 UTC 
+++ This bug was initially created as a clone of Bug #1218304 +++

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ 

describes a new SMTP smuggling attack, that exploits  "<cr><lf>.<cr><lf>" data end marker inconistent handling on some email servers.
Comment 1 Marcus Meissner 2023-12-22 12:35:57 UTC 
sendmail snapshot 8.18.0.2 is available for testing. It offers the
new srv_features option 'o' to require CR LF . CR LF as end of an
SMTP message and fixes parsing of UTF8 addresses when
SMTPUTF8 BODY=3D7BIT are used as parameters for the MAIL command.

SHA256 (sendmail.8.18.0.2.tar.gz) =3D b8f64c67f94dc6ff0f65498636f8f90b794e58ded15a05650a98115167b60773
SHA256 (sendmail.8.18.0.2.tar.gz.sig) =3D 95c3f2845f0d099d6e2d4662f73a0e1afe83f028b69e3c62a9fdf12bbdaccdec

Available at:
https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz
https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz.sig


No seperate patch provided
Comment 2 Marcus Meissner 2023-12-22 13:37:15 UTC 
i have the diff between 8.17.2 and 8.18.0.2 , it is quite long but the 'O' option code might be extractable with some effort.

not sure how easy this will integrate.
Comment 3 Marcus Meissner 2023-12-24 09:24:07 UTC 
CVE-2023-51765 was assigned
Comment 21 Dr. Werner Fink 2024-02-22 08:24:25 UTC 
Both SR for SLE-12 and SLE-15 are accepted
Comment 22 Maintenance Automation 2024-03-04 08:30:03 UTC 
SUSE-SU-2024:0743-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218351
CVE References: CVE-2023-51765
Sources used:
openSUSE Leap 15.5 (src): sendmail-8.15.2-150000.8.12.1
Basesystem Module 15-SP5 (src): sendmail-8.15.2-150000.8.12.1
SUSE Package Hub 15 15-SP5 (src): sendmail-8.15.2-150000.8.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2024-03-04 08:30:05 UTC 
SUSE-SU-2024:0742-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218351
CVE References: CVE-2023-51765
Sources used:
Legacy Module 12 (src): sendmail-8.14.9-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.