https://bugs.exim.org/show_bug.cgi?id=3063
Bug ID: 3063
Summary: Partially vulnerable to "SMTP Smuggling" if pipelining
is enabled
Product: Exim
Version: 4.93
Hardware: x86
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: Mail Receipt
Assignee: unallocated@???
Reporter: bugzilla.exim.simon@???
CC: exim-dev@???
Exim is partially vulnerable to
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Exim incorrectly allows <LF>.<LF> to end a message:
"However, for the case when a dot on a line by itself terminates a message, the
only recognized terminating sequences before and after the dot are LF and CRLF"
https://www.rfc-editor.org/rfc/rfc5321:
"In particular, the sequence <LF>.<LF> (bare line feeds, without carriage
returns) MUST NOT be treated as equivalent to <CRLF>.<CRLF> as the end of mail
data indication."
With pipelining disabled, Exim is accepting one command after the end of a
message. (I don't think it should do this.)
With pipelining enabled, Exim will accept commands up to DATA but no further.
It's not possible to send a message like this but a precisely arranged set of
packets and network congestion at exactly the right time would make it
possible.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
