CVE-2023-51764

2023-12-2522:00:35

redhat.com

access.redhat.com

postfix

smtp

flaw

remote attacker

spoofed emails

spf checks

mitigation strategies

package updates

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5.2 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

65.3%

JSON

A flaw was found in some SMTP server configurations in Postfix. This flaw allows a remote attacker to break out email message data to “smuggle” SMTP commands and send spoofed emails that pass SPF checks. Out of the box, Postfix targets to accommodate older clients with faulty SMTP implementations due to which restrictions are not enforced in the default configuration. Appropriate mitigation strategies are mentioned in the appropriate section below.

Mitigation

This flaw can be PARTIALLY mitigated via the following options in the main.cf:

smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking, silent-discard

Please note this only blocks the misuse of SMTP command pipelining, but does not address message pipelining nor malformed line endings. The only fix for these issues are via package updates.