{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-098.pdf"
    },
    "title": "SMTP Smuggling Vulnerability in CISCO Secure Email Gateway",
    "serial_number": "2023-098",
    "publish_date": "19-12-2023 14:35:45",
    "description": "On December 18, 2023, researchers from SEC Consult released an article about an SMTP Smuggling vulnerability affecting products from several vendors such as Microsoft, GMX or Cisco. While the vulnerability was fixed in GMX and Microsoft products, it is considered as a feature in Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway, and thus, it was not fixed.<br>\nIt is recommended to change the default configurations of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway.<br>\n",
    "url_title": "2023-098",
    "content_markdown": "---\ntitle: 'SMTP Smuggling Vulnerability in\u00a0CISCO\u00a0Secure\u00a0Email\u00a0Gateway'\nnumber: '2023-098'\nversion: '1.0'\noriginal_date: 'December 18, 2023'\ndate: 'December 19, 2023'\n---\n\n_History:_\n\n* _19/12/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn December 18, 2023, researchers from SEC Consult released an article about an SMTP Smuggling vulnerability affecting products from several vendors such as Microsoft, GMX or Cisco [1]. While the vulnerability was fixed in GMX and Microsoft products, it is considered as a feature in Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway, and thus, it was not fixed.\n\nIt is recommended to change the default configurations of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway.\n\n# Technical Details\n\nThe vulnerability comes from the various interpretations of the end-of-data sequence (`<CR><LF>.<CR><LF>`) in emails. By exploiting this interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed emails - hence SMTP smuggling - while still passing SPF alignment checks. Two types of SMTP smuggling are possible, outbound and inbound.\n\n# Affected Products\n\nCisco Secure Email Gateway and Cisco Secure Email Cloud Gateway are affected by this vulnerability.\n\n# Recommendations\n\nIt is recommended to change the default handling carriage returns and line feed configuration of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway to `Allow` [2] and not `Clean`.\n\n# References\n\n[1] <https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/>\n\n[2] <https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-0/user_guide/b_ESA_Admin_Guide_15-0/b_ESA_Admin_Guide_12_1_chapter_0100.html?bookSearch=true#task_1254814__table_985308C400C84CE3BC190BC8A3A95D86>",
    "content_html": "<p><em>History:</em></p><ul><li><em>19/12/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 18, 2023, researchers from SEC Consult released an article about an SMTP Smuggling vulnerability affecting products from several vendors such as Microsoft, GMX or Cisco [1]. While the vulnerability was fixed in GMX and Microsoft products, it is considered as a feature in Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway, and thus, it was not fixed.</p><p>It is recommended to change the default configurations of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability comes from the various interpretations of the end-of-data sequence (<code>&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;</code>) in emails. By exploiting this interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed emails - hence SMTP smuggling - while still passing SPF alignment checks. Two types of SMTP smuggling are possible, outbound and inbound.</p><h2 id=\"affected-products\">Affected Products</h2><p>Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway are affected by this vulnerability.</p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended to change the default handling carriage returns and line feed configuration of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway to <code>Allow</code> [2] and not <code>Clean</code>.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/\">https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-0/user_guide/b_ESA_Admin_Guide_15-0/b_ESA_Admin_Guide_12_1_chapter_0100.html?bookSearch=true#task_1254814__table_985308C400C84CE3BC190BC8A3A95D86\">https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-0/user_guide/b_ESA_Admin_Guide_15-0/b_ESA_Admin_Guide_12_1_chapter_0100.html?bookSearch=true#task_1254814__table_985308C400C84CE3BC190BC8A3A95D86</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}