Multiple SMTP Servers Vulnerable to Spoofing Attacks


A recent discovery has unveiled vulnerabilities in multiple hosted, outbound SMTP servers, allowing authenticated users and certain trusted networks to send emails with spoofed sender information.

These vulnerabilities, CVE-2024-7208 and CVE-2024-7209, exploit weaknesses in the authentication and verification mechanisms provided by Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM).

EHA

Domain-based Message Authentication, Reporting, and Conformance (DMARC), which builds on SPF and DKIM, is circumvented, enabling attackers to bypass security measures and spoof sender identities.

Technical Description of the Vulnerabilities

The vulnerabilities stem from the SMTP protocol’s inherent insecurity, as outlined in RFC 5321 #7.1. SPF records are designed to identify IP networks authorized to send emails on behalf of a domain. At the same time, DKIM provides a digital signature to verify specific portions of the SMTP-relayed message.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

According to the CERT report, DMARC combines these capabilities to enhance email security. However, researchers have discovered that many hosted email services that host multiple domains do not adequately verify the authenticated sender against their allowed domain identities.

This oversight allows authenticated attackers to spoof identities in the email Message Header, sending emails as anyone within the hosted domains.

Impact and Potential Abuse

The impact of these vulnerabilities is significant. An authenticated attacker can exploit network or SMTP authentication to spoof the identity of a shared hosting facility, bypassing DMARC policies and sender verification mechanisms.

This could lead to widespread email impersonation, undermining the trust in email communications and potentially causing severe reputational and financial damage to affected organizations.

Vulnerability Description
CVE-2024-7208 Allows an authenticated sender to spoof the identity of a shared, hosted domain, bypassing DMARC, SPF, and DKIM policies.
CVE-2024-7209 Exploits shared SPF records in multi-tenant hosting providers, enabling attackers to use network authorization to spoof the email identity of the sender.

Domain hosting providers that offer email relay services must implement stricter verification measures. They should ensure that the identity of an authenticated sender is verified against authorized domain identities.

Email service providers should also use reliable methods to verify that the network sender identity (MAIL FROM) and the Message Header (FROM:) are consistent.

Implementing mail filter software, such as Milterfrom, can help enforce these requirements. Domain owners should adopt stringent measures to protect their domains from spoofing attacks.

This includes using DNS-based DMARC policies (DKIM and SPF) to safeguard their sender identity and brand.

For high-assurance identity protection, domain owners should consider using their own DKIM facilities, independent of the hosting provider, to mitigate the risk of spoofing attacks.

As email remains a critical communication tool, addressing these vulnerabilities is essential to maintaining the integrity and security of email communications. Organizations must act swiftly to implement the recommended solutions and protect their domains from potential abuse.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access



Source link