--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'SMTP Smuggling Vulnerability in CISCO Secure Email Gateway' number: '2023-098' version: '1.0' original_date: 'December 18, 2023' date: 'December 19, 2023' --- _History:_ * _19/12/2023 --- v1.0 -- Initial publication_ # Summary On December 18, 2023, researchers from SEC Consult released an article about an SMTP Smuggling vulnerability affecting products from several vendors such as Microsoft, GMX or Cisco [1]. While the vulnerability was fixed in GMX and Microsoft products, it is considered as a feature in Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway, and thus, it was not fixed. It is recommended to change the default configurations of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway. # Technical Details The vulnerability comes from the various interpretations of the end-of-data sequence (`.`) in emails. By exploiting this interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed emails - hence SMTP smuggling - while still passing SPF alignment checks. Two types of SMTP smuggling are possible, outbound and inbound. # Affected Products Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway are affected by this vulnerability. # Recommendations It is recommended to change the default handling carriage returns and line feed configuration of the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway to `Allow` [2] and not `Clean`. # References [1] [2]