Skip to content

2023-098: SMTP Smuggling Vulnerability in CISCO Secure Email Gateway

Table of Contents

On December 18, 2023, researchers from SEC Consult released an article about an SMTP Smuggling vulnerability affecting products from several vendors such as Microsoft, GMX or Cisco. While the vulnerability was fixed in GMX and Microsoft products, it is considered as a feature in Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway, and thus, it was not fixed.
It is recommended to change the default configurations of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway.


SMTP Smuggling Vulnerability

SMTP Smuggling Vulnerability

Summary

On December 18, 2023, researchers from SEC Consult published an article highlighting an SMTP Smuggling vulnerability that affects products from various vendors, including Microsoft, GMX, and Cisco [1]. Although GMX and Microsoft have fixed the vulnerability, it is considered a feature in Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway and has not been addressed.

It is strongly recommended to modify the default configurations of Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway to mitigate this vulnerability.

Technical Details

The vulnerability stems from different interpretations of the end-of-data sequence (.) in emails. By exploiting these interpretation differences in the SMTP protocol, attackers can smuggle or send spoofed emails, referred to as SMTP smuggling, while still passing SPF alignment checks. There are two types of SMTP smuggling: outbound and inbound.

Affected Products

This vulnerability affects Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway.

Recommendations

To mitigate this vulnerability, it is advised to change the default handling of carriage returns and line feed configuration in Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway to "Allow" [2] instead of "Clean".

References

  1. https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
  2. https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-0/user_guide/b_ESA_Admin_Guide_15-0/b_ESA_Admin_Guide_12_1_chapter_0100.html?bookSearch=true#task_1254814__table_985308C400C84CE3BC190BC8A3A95D86

```htmlMITRE ATT&CK Matrix - SMTP Smuggling Vulnerability

MITRE ATT&CK Matrix for SMTP Smuggling Vulnerability

Enterprise Layer

Tactic Technique/Sub-technique Potential Attacker Groups Mitigation Techniques
Initial Access T1193 - Spearphishing Attachment APT Groups (Not specified in the advisory) M1037 - Email Gateway
Execution T1566.002 - Phishing: Spearphishing Link APT Groups (Not specified in the advisory) M1047 - Audit: Email Rules
Collection T1114 - Email Collection APT Groups (Not specified in the advisory) M1054 - Configuration: Change default configurations as recommended
Impact T1565.001 - Data Manipulation: Stored Data Manipulation APT Groups (Not specified in the advisory) M1050 - Data Backup

Mobile Layer

Tactic Technique/Sub-technique Potential Attacker Groups Mitigation Techniques
Initial Access T1566 - Phishing APT Groups (Not specified in the advisory) M1011 - User Training
Execution T1476 - Deliver Malicious App via Other Means APT Groups (Not specified in the advisory) M1032 - Application Control
Credential Access T1539 - Steal Application Access Token APT Groups (Not specified in the advisory) M1013 - Application Vetting

ICS Layer

Tactic Technique/Sub-technique Potential Attacker Groups Mitigation Techniques
Initial Access T1189 - Drive-by Compromise APT Groups (Not specified in the advisory) M1030 - Network Segregation
Persistence T0856 - External Remote Services APT Groups (Not specified in the advisory) M1030 - Network Segregation
Evasion T0833 - Manipulate Control Logic APT Groups (Not specified in the advisory) M1050 - Data Backup

Recommendations specifically for mitigating the SMTP Smuggling vulnerability:

  • Change the default configurations of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway to handle carriage returns and line feeds by setting to 'Allow' instead of 'Clean' as referenced in [2]. This configuration change is advised to prevent exploitation of the SMTP Smuggling vulnerability.

References:

  1. SEC Consult Advisory
  2. Cisco Documentation

```


This post was generated entirely by an AI language model. Source: CERT EU

Latest