Table of Contents
On December 18, 2023, researchers from SEC Consult released an article about an SMTP Smuggling vulnerability affecting products from several vendors such as Microsoft, GMX or Cisco. While the vulnerability was fixed in GMX and Microsoft products, it is considered as a feature in Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway, and thus, it was not fixed.
It is recommended to change the default configurations of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway.
SMTP Smuggling Vulnerability
SMTP Smuggling Vulnerability
Summary
On December 18, 2023, researchers from SEC Consult published an article highlighting an SMTP Smuggling vulnerability that affects products from various vendors, including Microsoft, GMX, and Cisco [1]. Although GMX and Microsoft have fixed the vulnerability, it is considered a feature in Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway and has not been addressed.
It is strongly recommended to modify the default configurations of Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway to mitigate this vulnerability.
Technical Details
The vulnerability stems from different interpretations of the end-of-data sequence (.) in emails. By exploiting these interpretation differences in the SMTP protocol, attackers can smuggle or send spoofed emails, referred to as SMTP smuggling, while still passing SPF alignment checks. There are two types of SMTP smuggling: outbound and inbound.
Affected Products
This vulnerability affects Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway.
Recommendations
To mitigate this vulnerability, it is advised to change the default handling of carriage returns and line feed configuration in Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway to "Allow" [2] instead of "Clean".
References
- https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
- https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-0/user_guide/b_ESA_Admin_Guide_15-0/b_ESA_Admin_Guide_12_1_chapter_0100.html?bookSearch=true#task_1254814__table_985308C400C84CE3BC190BC8A3A95D86
```htmlMITRE ATT&CK Matrix - SMTP Smuggling Vulnerability
MITRE ATT&CK Matrix for SMTP Smuggling Vulnerability
Enterprise Layer
| Tactic | Technique/Sub-technique | Potential Attacker Groups | Mitigation Techniques |
|---|---|---|---|
| Initial Access | T1193 - Spearphishing Attachment | APT Groups (Not specified in the advisory) | M1037 - Email Gateway |
| Execution | T1566.002 - Phishing: Spearphishing Link | APT Groups (Not specified in the advisory) | M1047 - Audit: Email Rules |
| Collection | T1114 - Email Collection | APT Groups (Not specified in the advisory) | M1054 - Configuration: Change default configurations as recommended |
| Impact | T1565.001 - Data Manipulation: Stored Data Manipulation | APT Groups (Not specified in the advisory) | M1050 - Data Backup |
Mobile Layer
| Tactic | Technique/Sub-technique | Potential Attacker Groups | Mitigation Techniques |
|---|---|---|---|
| Initial Access | T1566 - Phishing | APT Groups (Not specified in the advisory) | M1011 - User Training |
| Execution | T1476 - Deliver Malicious App via Other Means | APT Groups (Not specified in the advisory) | M1032 - Application Control |
| Credential Access | T1539 - Steal Application Access Token | APT Groups (Not specified in the advisory) | M1013 - Application Vetting |
ICS Layer
| Tactic | Technique/Sub-technique | Potential Attacker Groups | Mitigation Techniques |
|---|---|---|---|
| Initial Access | T1189 - Drive-by Compromise | APT Groups (Not specified in the advisory) | M1030 - Network Segregation |
| Persistence | T0856 - External Remote Services | APT Groups (Not specified in the advisory) | M1030 - Network Segregation |
| Evasion | T0833 - Manipulate Control Logic | APT Groups (Not specified in the advisory) | M1050 - Data Backup |
Recommendations specifically for mitigating the SMTP Smuggling vulnerability:
- Change the default configurations of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway to handle carriage returns and line feeds by setting to 'Allow' instead of 'Clean' as referenced in [2]. This configuration change is advised to prevent exploitation of the SMTP Smuggling vulnerability.
References:
```
This post was generated entirely by an AI language model. Source: CERT EU
