CVE-2023-51764

Description

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Read the notes from the security team

Mitigation

Patched versions of Postfix before 3.9 require the below configs for the fix to apply: smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks

Status

Show unmaintained releases

Package	Ubuntu Release	Status
postfix	23.10 mantic	Fixed 3.8.1-2ubuntu0.2
	23.04 lunar	Ignored end of life
	22.04 LTS jammy	Fixed 3.6.4-1ubuntu1.3
	20.04 LTS focal	Fixed 3.4.13-0ubuntu1.4
	18.04 LTS bionic	Fixed 3.3.0-1ubuntu0.4+esm3
	16.04 LTS xenial	Fixed 3.1.0-3ubuntu0.4+esm3
	14.04 LTS trusty	Fixed 2.11.0-1ubuntu1.2+esm3

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

mdeslaur

We will not be releasing updates for Lunar which is EoL on 2024-01-25

Severity score breakdown

Parameter	Value
Base score	5.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE-2023-51764

Cvss 3 Severity Score