VU#244112: Multiple SMTP services are susceptible to spoofing attacks due to insufficient enforcement

Vista Net, Inc. > Blog > General > VU#244112: Multiple SMTP services are susceptible to spoofing attacks due to insufficient enforcement

Overview

Multiple hosted, outbound SMTP servers are vulnerable to email impersonation. This allows authenticated users and certain trusted networks to send emails containing spoofed sender information. Two vulnerabilities were identified that reduce the authentication and verification of the sender, provided by the combination of Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM). Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM, adding linkage to the author (FROM:) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders to improve and monitor protection of the domain from fraudulent email (DMARC.org). An authenticated remote attacker can spoof the identity of a sender when sending emails using a hosted service provider.

Description

As identified in RFC 5321 #7.1, the SMTP protocol is inherently insecure and susceptible to spoofing the sender identity that is present in the various parts of the SMTP transaction. Various facilities, such as SPF and DKIM, continued to evolve to address these issues. SPF records identify the IP networks that are allowed to send email on behalf of a domain. Receiving servers can check SPF records to verify that incoming messages that appear to be from an organization are sent by permitted (allowed) networks. DKIM goes further in email security by providing a digital signature that verifies specific portions of the SMTP-relayed message, allowing to digitally assert specific information that is part of a message such as the FROM: address, subject, and date fields. While SPF verifies the network source of an email transaction, DKIM looks into an email message to prevent message tampering. DMARC is an email authentication, policy, and reporting protocol that builds on the widely deployed SPF and DKIM protocols. As a useful combination of these two capabilities, DMARC helps both email senders and receivers work together to better secure emails, protecting users and brands from costly abuse.

A set of vulnerabilities were discovered by researchers in the practical usage of these capabilities exposing the potential abuse of sender trust in email communications. Many of the hosted, email services provide hosting for multiple domains and use a wide range of network resources to deliver emails from their domain addresses. The hosting service providers typically provide a way to authenticate before allowing emails to be sent on behalf of the sender. However, due to the nature of their shared hosting, many of them do not verify the authenticated sender against their allowed domain identities. Hosting providers who have published SPF records, and, in some cases, also add DKIM signatures, do not sufficiently verify the trust relationship of authenticated user against the allowed domains. This allows an authenticated attacker to spoof an identity in the email Message Header to send emails as anyone in the hosted domains of the hosting provider, while authenticated as a user of a different domain name.

Any remote email receiving services may incorrectly identify the sender’s identity as it passes the cursory check of DMARC policy adherence. The DMARC policy is thus circumvented, allowing spoofed messages to be seen as an attested and a valid message.

CVE-2024-7208
A vulnerability in multi-tenant hosting allows an authenticated sender to spoof the identity of a shared, hosted domain, thus bypass security measures provided by DMARC (or SPF or DKIM) policies.

CVE-2024-7209
A vulnerability exists in the use of shared SPF records in multi-tenant hosting providers, allowing attackers to use network authorization to be abused to spoof the email identify of the sender.

Impact

An authenticated attacker using network or SMTP authentication can spoof the identity of a shared hosting facility, circumventing any DMARC policy and sender verification provided by a domain name owner.

Solution

Hosting providers

Domain hosting providers that provide email relay should verify the identity of an authenticated sender against authorized domain identities. The email service providers should use reliable ways to verify that the network sender identity (MAIL FROM) and the Message Header (FROM:) are the same or related. As much as SMTP software does not verify the Message Header with the network sender, identity mail filter software, such as (Milter) Milterfrom, may provide ways to enforce such requirements.

Domain owners

Domain owners should use strict measures to ensure their domain, DNS-based DMARC policy (DKIM and SPF) protects their sender identity and their users and brands from abuse caused by spoofing. If a domain is expected to provide high assurance of identity, the domain owner should use their own DKIM facility, independent of the hosting provider, to reduce the risk of spoofing attacks.

Email Senders

Email senders that require high fidelity of their identity can use facilities such as S/MIME and PGP, as suggested in RFC 5321 #7.1.

Acknowledgements

Thanks to the reporters, Caleb Sargent and Hao Wang, for raising awareness of these vulnerabilities. This document was written by Dr. Elke Drennan, Vijay Sarvepalli, and Timur Snoke.