VU#302671: SMTP end-of-data uncertainty can be abused to spoof emails and bypass policies

A vulnerability has been discovered in the way SMTP servers and software handle end-of-data sequences in email messages, allowing attackers to bypass security policies. This inconsistency can be exploited by crafting an email that deviates from the standard end-of-data sequence, causing confusion as it is transferred between SMTP gateways. The attack, known as "SMTP Smuggling," involves multiple stakeholders such as email service providers, email software vendors, and email security product vendors. It allows attackers to impersonate any sender in any domain hosted at the originating mail service and bypass security policies. Email service providers and administrators should ensure their email software is up to date and apply the necessary patches or workarounds provided by their software vendors. Email users should remain cautious when replying to emails and clicking on links that may download malicious software. The vulnerability has been assigned CVE numbers for Exim, Postfix, and Sendmail.