Bug 1218351 (CVE-2023-51765) - VUL-0: CVE-2023-51765: sendmail: new SMTP smuggling attack
Summary: VUL-0: CVE-2023-51765: sendmail: new SMTP smuggling attack
Status: RESOLVED FIXED
Alias: CVE-2023-51765
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/389198/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-51765:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-22 12:04 UTC by Marcus Meissner
Modified: 2024-03-04 08:30 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
werner: needinfo? (meissner)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2023-12-22 12:04:48 UTC 
+++ This bug was initially created as a clone of Bug #1218304 +++

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ 

describes a new SMTP smuggling attack, that exploits  "<cr><lf>.<cr><lf>" data end marker inconistent handling on some email servers.
Comment 1 Marcus Meissner 2023-12-22 12:35:57 UTC 
sendmail snapshot 8.18.0.2 is available for testing. It offers the
new srv_features option 'o' to require CR LF . CR LF as end of an
SMTP message and fixes parsing of UTF8 addresses when
SMTPUTF8 BODY=3D7BIT are used as parameters for the MAIL command.

SHA256 (sendmail.8.18.0.2.tar.gz) =3D b8f64c67f94dc6ff0f65498636f8f90b794e58ded15a05650a98115167b60773
SHA256 (sendmail.8.18.0.2.tar.gz.sig) =3D 95c3f2845f0d099d6e2d4662f73a0e1afe83f028b69e3c62a9fdf12bbdaccdec

Available at:
https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz
https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz.sig


No seperate patch provided
Comment 2 Marcus Meissner 2023-12-22 13:37:15 UTC 
i have the diff between 8.17.2 and 8.18.0.2 , it is quite long but the 'O' option code might be extractable with some effort.

not sure how easy this will integrate.
Comment 3 Marcus Meissner 2023-12-24 09:24:07 UTC 
CVE-2023-51765 was assigned
Comment 21 Dr. Werner Fink 2024-02-22 08:24:25 UTC 
Both SR for SLE-12 and SLE-15 are accepted
Comment 22 Maintenance Automation 2024-03-04 08:30:03 UTC 
SUSE-SU-2024:0743-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218351
CVE References: CVE-2023-51765
Sources used:
openSUSE Leap 15.5 (src): sendmail-8.15.2-150000.8.12.1
Basesystem Module 15-SP5 (src): sendmail-8.15.2-150000.8.12.1
SUSE Package Hub 15 15-SP5 (src): sendmail-8.15.2-150000.8.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2024-03-04 08:30:05 UTC 
SUSE-SU-2024:0742-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218351
CVE References: CVE-2023-51765
Sources used:
Legacy Module 12 (src): sendmail-8.14.9-4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.