Using smuggling, an email can be split and the fake senders bypass authentication mechanisms such as SPF, DKIM and DMARC. While large companies and email service providers Microsoft, GMX and Ionos immediately stopped smuggling, Cisco continues to consider the danger to be a great function, according to the BSI.
On December 18, cybersecurity firm SEC Consult released information about a new attack technique using “Simple Mail Transfer Protocol (SMTP) Smuggling.” With SMTP smuggling, attackers take advantage of the fact that different SMTP implementations interpret the marking of the end of an email message differently.
SPF, DKIM and DMARC disabled
This allows you to send emails that are split into multiple emails by an affected email system. In this way, new emails are created that use fake senders (spoofing), bypass authentication mechanisms such as SPF, DKIM and DMARC or no longer carry warnings such as a spam flag in the subject line.
By exploiting differences in the interpretation of a sequence between outgoing and incoming SMTP servers, attackers can send spoofed emails on behalf of trusted domains. This in turn enables a wide variety of social engineering or phishing attacks. One A detailed technical explanation of SMTP smuggling is provided in the blog article published by SEC Consult.
All companies fix it - only Cisco considers it a feature
As part of the company's responsible disclosure process, large companies identified by SEC Consult (Microsoft, Cisco, GMX/Ionos) with affected IT products and IT services were informed prior to publication in order to give Microsoft and GMX sufficient time to correct the vulnerability have then secured their email services against SMTP smuggling. According to SEC Consult, Cisco is holding
the problem found in (on-prem / cloud-based) Cisco Secure Email (Cloud) Gateway for a feature and not a vulnerability. The problem in Cisco Secure Email Gateway is the (default) CR and LF handling - this allows messages with CR and LF characters and converts CR and LF characters to CRLF characters. This behavior allows the receipt of fake emails with valid DMARC.
The weak point lies not in the underlying standards, but in the often inadequate implementation of them. The attack can be mitigated with comparatively little effort through a stricter interpretation of RFC5321 and RFC5322 and the use of the BDAT command, in which the sender explicitly specifies the data size.
BSI recommends measures for Cisco Secure Email
The BSI recommends installing patches provided and ensuring that the IT systems used are configured so that only RFC-compliant end identifiers are supported. For the IT product (on-prem / cloud-based) Cisco Secure Email (Cloud) Gateway, SEC Consult recommends adjusting the CR and LF handling configuration to the “Allow” behavior in order to protect against attacks using SMTP smuggling.
The BSI already provides information about available patches and mitigation measures for system users via the warning and information service portal (WID). For example, the developers of Postfix provide instructions for a workaround. It can be assumed that manufacturers of previously unnamed email infrastructure products will also publish workarounds or patches that solve the problem in the coming days.
More at BSI.Bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.