32700 – sendmail new security issue CVE-2023-51765

Bug 32700 - sendmail new security issue CVE-2023-51765

Summary: sendmail new security issue CVE-2023-51765

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-01-08 10:06 CET by Nicolas Salguero
Modified:	2024-07-16 05:22 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	sendmail-8.17.1-4.mga9.src.rpm
CVE:	CVE-2023-51765
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-01-08 10:06:49 CET

Version 8.18.0.2 fixes the new SMTP smuggling attack:
https://www.openwall.com/lists/oss-security/2023/12/21/6
https://www.openwall.com/lists/oss-security/2023/12/26/5

Nicolas Salguero 2024-01-08 10:07:36 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => sendmail-8.17.2-1.mga10.src.rpm
CVE: (none) => CVE-2023-51765

Comment 1 Lewis Smith 2024-01-08 20:18:19 CET

Christiaan put up the current version, and looks to be the main sendmail maintainer; assigning to you.

Assignee: bugsquad => cjw
Status comment: (none) => Fixed in Version 8.18.0.2

Comment 2 Pierre Fortin 2024-03-06 21:21:56 CET

also applies to Postfix: http://www.postfix.org/smtp-smuggling.html
https://nvd.nist.gov/vuln/detail/CVE-2023-51764

and exim: https://nvd.nist.gov/vuln/detail/CVE-2023-51766

CC: (none) => pfortin

Comment 3 Nicolas Salguero 2024-03-07 09:11:31 CET

(In reply to Pierre Fortin from comment #2)
> also applies to Postfix: http://www.postfix.org/smtp-smuggling.html
> https://nvd.nist.gov/vuln/detail/CVE-2023-51764

That issue was already fixed in bug 32647.

> and exim: https://nvd.nist.gov/vuln/detail/CVE-2023-51766

exim is not provided by Mageia.

Best regards,

Nicolas Salguero 2024-03-29 11:51:09 CET

Whiteboard: MGA9TOO => (none)
Source RPM: sendmail-8.17.2-1.mga10.src.rpm => sendmail-8.17.1-4.mga9.src.rpm
Version: Cauldron => 9

Comment 4 Nicolas Salguero 2024-06-21 09:10:21 CEST

Debian has patches for CVE-2023-51765 for version 8.17.1:
https://sources.debian.org/data/main/s/sendmail/8.17.1.9-2%2Bdeb12u2/debian/patches/0024-CVE-2023-51765.patch
and
https://sources.debian.org/data/main/s/sendmail/8.17.1.9-2%2Bdeb12u2/debian/patches/reject_nul.patch

Comment 5 Nicolas Salguero 2024-07-05 10:05:52 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

sendmail through 8.17.2 allows SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports <LF>.<CR><LF> but some other popular e-mail servers do not. This is resolved in 8.18 and later versions with 'o' in srv_features. (CVE-2023-51765)

References:
https://www.openwall.com/lists/oss-security/2023/12/21/6
https://www.openwall.com/lists/oss-security/2023/12/26/5
========================

Updated packages in core/updates_testing:
========================
lib(64)milter1.0-8.17.1-4.1.mga9
lib(64)milter-devel-8.17.1-4.1.mga9
sendmail-8.17.1-4.1.mga9
sendmail-cf-8.17.1-4.1.mga9
sendmail-doc-8.17.1-4.1.mga9

from SRPM:
sendmail-8.17.1-4.1.mga9.src.rpm

Status comment: Fixed in Version 8.18.0.2 => (none)
Status: NEW => ASSIGNED
Assignee: cjw => qa-bugs

katnatek 2024-07-05 18:32:43 CEST

Keywords: (none) => advisory

Comment 6 katnatek 2024-07-05 18:57:39 CEST

 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
medium "BDK-Free-x86_64" is up-to-date
medium "BDK-Free-noarch" is up-to-date
medium "BDK-NonFree-x86_64" is up-to-date


installing sendmail-8.17.1-4.1.mga9.x86_64.rpm lib64milter1.0-8.17.1-4.1.mga9.x86_64.rpm sendmail-cf-8.17.1-4.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: sendmail-cf           ##################################################################################################
      2/3: lib64milter1.0        ##################################################################################################
      3/3: sendmail              ##################################################################################################
      1/3: removing sendmail-cf-8.17.1-4.mga9.x86_64
                                 ##################################################################################################
      2/3: removing lib64milter1.0-8.17.1-4.mga9.x86_64
                                 ##################################################################################################
      3/3: removing sendmail-8.17.1-4.mga9.x86_64
                                 ##################################################################################################

urpmq --whatrequires-recursive lib64milter1.0|uniq
clamav-milter
lib64milter-devel
lib64milter1.0
opendkim
opendmarc
pagure-milters
python3-pymilter

Not find info about test lib64milter1.0 so proceed with send mail 
Reference Bug#13431 comment#7

systemctl start sendmail.service 
systemctl status sendmail.service 
● sendmail.service - Sendmail Mail Transport Agent
     Loaded: loaded (/usr/lib/systemd/system/sendmail.service; disabled; preset: disabled)
     Active: active (running) since Fri 2024-07-05 10:48:50 CST; 8s ago
    Process: 297076 ExecStartPre=/usr/bin/newaliases (code=exited, status=0/SUCCESS)
    Process: 297081 ExecStartPre=/usr/bin/make -C /etc/mail -s (code=exited, status=0/SUCCESS)
    Process: 297087 ExecStart=/bin/sh -c exec /usr/sbin/sendmail.sendmail $DAEMONOPTIONS -bd $(if [ -n "$QUEUE" ]; then echo -q$QUEU>
   Main PID: 297089 (sendmail.sendma)
      Tasks: 5 (limit: 6904)
     Memory: 5.3M
        CPU: 213ms
     CGroup: /system.slice/sendmail.service
             ├─297089 "sendmail: accepting connections"
             ├─297108 "sendmail: gmail-smtp-in.l.google.com.: idle"
             ├─297115 "sendmail: ./465GmpW1297104 from queue"
             ├─297116 procmail -f root@jgrey.phoenix -Y -a "" -d root
             └─297118 procmail -f MAILER-DAEMON@localhost.localdomain -Y -a "" -d katnatek

jul 05 10:48:52 jgrey.phoenix sendmail[297106]: 465GmqVp297106: SYSERR(root): hash map "generics": missing map file /etc/mail/generi>
jul 05 10:48:52 jgrey.phoenix sendmail[297108]: 465GmqVp297108: SYSERR(root): hash map "generics": missing map file /etc/mail/generi>
jul 05 10:48:52 jgrey.phoenix sendmail[297112]: 465GmqVp297112: SYSERR(root): hash map "generics": missing map file /etc/mail/generi>
jul 05 10:48:52 jgrey.phoenix sendmail[297106]: 465GmqVp297106: to=<katnatek@jgrey.phoenix>, delay=00:00:00, xdelay=00:00:00, mailer>
jul 05 10:48:52 jgrey.phoenix sendmail[297112]: 465GmqVp297112: to=<katnatek@jgrey.phoenix>, delay=00:00:00, xdelay=00:00:00, mailer>
jul 05 10:48:52 jgrey.phoenix sendmail[297110]: 465GmpVt297104: to=<j.alberto.vc@gmail.com>, ctladdr=<katnatek@jgrey.phoenix> (1000/>
jul 05 10:48:52 jgrey.phoenix sendmail[297110]: 465GmpVt297104: 465GmqVp297110: DSN: Service unavailable
jul 05 10:48:52 jgrey.phoenix sendmail[297110]: 465GmqVp297110: SYSERR(root): hash map "generics": missing map file /etc/mail/generi>
jul 05 10:48:52 jgrey.phoenix sendmail[297110]: 465GmqVp297110: to=<katnatek@jgrey.phoenix>, delay=00:00:00, xdelay=00:00:00, mailer>
jul 05 10:48:53 jgrey.phoenix sendmail[297113]: 465GmpVx297104: to=<root@jgrey.phoenix>, ctladdr=<root@jgrey.phoenix> (0/0), delay=0>
Tiene correo nuevo en /var/spool/mail/root 


 mail
s-nail version v14.9.24.  Type `?' for help
/var/spool/mail/root: 2 messages 2 new
▸N  1 root                  2024-07-05 10:48   72/4007  "[msec] *** Security Check on jgrey.phoenix, jul 05 10:48:02 ***            "
 N  2 root                  2024-07-05 10:48   68/6217  "[msec] *** Diff Check on jgrey.phoenix, jul 05 10:48:02 ***                "
& 1
[-- Message  1 -- 72 lines, 4007 bytes --]:
From: root <root@jgrey.phoenix>
Message-Id: <202407051648.465Gm6DE295382@jgrey.phoenix>
Date: Fri, 05 Jul 2024 10:48:06 -0600
To: root@jgrey.phoenix
Subject: [msec] *** Security Check on jgrey.phoenix, jul 05 10:48:02 ***

*** Security Check, jul 05 10:48:02 ***
*** Check type: daily ***
*** Check executed from: /etc/cron.daily/msec ***
Report summary:
Test started: jul 05 10:48:02
Test finished: jul 05 10:48:05
Total of unsecure user files: 2
Total of user files that should not be writable: 2
Total of open network ports: 27
Total of configured firewall rules: 234
Total local users: 59
Total local group: 97
Issues found in /etc/shadow file: 1

Detailed report:

Security Warning: these files shouldn't be owned by someone else or readable :
- /home/katnatek/.gnupg/secring.gpg : file is group readable.
- /home/katnatek/.gnupg/secring.gpg : file is other readable.

Security Warning: theses files should not be owned by someone else or writable :
- /home/katnatek/.ssh : file is group writable.
- /home/katnatek/.config : file is group writable.

These are the ports listening on your machine :
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Program name
tcp        0      0 0.0.0.0:terabase        0.0.0.0:*               LISTEN      nxd
tcp        0      0 jgrey.local:ssh         0.0.0.0:*               LISTEN      sshd: /usr/sb
tcp        0      0 localhost:icl-twobase2  0.0.0.0:*               LISTEN      nxrunner.bin
tcp        0      0 localhost:entextnetwk   0.0.0.0:*               LISTEN      nxnode.bin
tcp        0      0 localhost:24529         0.0.0.0:*               LISTEN      nxserver.bin
tcp        0      0 localhost:24528         0.0.0.0:*               LISTEN      nxserver.bin
tcp        0      0 jgrey.local:domain      0.0.0.0:*               LISTEN      dnsmasq
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN      httpd
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      httpd
tcp        0      0 localhost:afs3-callback 0.0.0.0:*               LISTEN      nxnode.bin
tcp6       0      0 [::]:terabase           [::]:*                  LISTEN      nxd
tcp6       0      0 localhost:afs3-callback [::]:*                  LISTEN      nxnode.bin
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           dnsmasq
udp        0      0 localhost:323           0.0.0.0:*                           chronyd
udp     9216      0 jgrey.local:mdns        0.0.0.0:*                           nxserver.bin
udp     9216      0 jgrey.local:mdns        0.0.0.0:*                           nxserver.bin
udp     2688      0 0.0.0.0:mdns            0.0.0.0:*                           nxserver.bin
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                           avahi-daemon: r
udp        0      0 0.0.0.0:39763           0.0.0.0:*                           avahi-daemon: r
udp        0      0 0.0.0.0:terabase        0.0.0.0:*                           nxd
udp        0      0 jgrey.local:domain      0.0.0.0:*                           dnsmasq
udp6       0      0 localhost:323           [::]:*                              chronyd
udp6       0      0 [::]:mdns               [::]:*                              avahi-daemon: r
udp6       0      0 [::]:pmcdproxy          [::]:*                              avahi-daemon: r
udp6       0      0 [::]:terabase           [::]:*                              nxd


I just want to know if the warnings

jul 05 10:48:52 jgrey.phoenix sendmail[297106]: 465GmqVp297106: SYSERR(root): hash map "generics": missing map file /etc/mail/generi>

Are expected or something is missing or configuration is needed

Keywords: (none) => feedback

Comment 7 katnatek 2024-07-13 20:06:48 CEST

Nicolas, are the warnings

jul 05 10:48:52 jgrey.phoenix sendmail[297106]: 465GmqVp297106: SYSERR(root): hash map "generics": missing map file /etc/mail/generi>

A blocker for this or not?

Comment 8 Nicolas Salguero 2024-07-15 13:59:43 CEST

Hi,

I am not an expert but, according to https://www.linuxquestions.org/questions/linux-networking-3/syserr-root-hash-map-generics-missing-map-file-etc-mail-genericstable-db-295493/, that warning seems to be related to configuration.

Best regards,

Nico.

Comment 9 katnatek 2024-07-15 20:13:09 CEST

(In reply to Nicolas Salguero from comment #8)
> Hi,
> 
> I am not an expert but, according to
> https://www.linuxquestions.org/questions/linux-networking-3/syserr-root-hash-
> map-generics-missing-map-file-etc-mail-genericstable-db-295493/, that
> warning seems to be related to configuration.
> 
> Best regards,
> 
> Nico.

Then give OK Thank you

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Keywords: feedback => (none)

Comment 10 Thomas Andrews 2024-07-16 03:22:18 CEST

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 11 Mageia Robot 2024-07-16 05:22:21 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0270.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.