{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \\xce\\xbf to the 'o' character. This is potentially relevant when the /etc/postfix/sender_login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a \"Sender address rejected: not logged in\" error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked. NOTE: some third parties argue that any missed blocking of spoofed outbound messages - except for exact matches to a sender address in the /etc/postfix/sender_login file - is outside the design goals of Postfix and thus cannot be considered a Postfix vulnerability"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-24T12:05:42", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2020/04/23/3"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2020/04/23/12"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-12063", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \\xce\\xbf to the 'o' character. This is potentially relevant when the /etc/postfix/sender_login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a \"Sender address rejected: not logged in\" error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked. NOTE: some third parties argue that any missed blocking of spoofed outbound messages - except for exact matches to a sender address in the /etc/postfix/sender_login file - is outside the design goals of Postfix and thus cannot be considered a Postfix vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.openwall.com/lists/oss-security/2020/04/23/3", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2020/04/23/3"}, {"name": "https://www.openwall.com/lists/oss-security/2020/04/23/12", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2020/04/23/12"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:48:57.775Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2020/04/23/3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2020/04/23/12"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-12063", "datePublished": "2020-04-24T11:59:03", "dateReserved": "2020-04-22T00:00:00", "dateUpdated": "2024-08-04T11:48:57.775Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postfix:postfix:2.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "C851CA35-20A6-4D1E-8473-7FDFBB2F633B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \\xce\\xbf to the 'o' character. This is potentially relevant when the /etc/postfix/sender_login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a \"Sender address rejected: not logged in\" error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked. NOTE: some third parties argue that any missed blocking of spoofed outbound messages - except for exact matches to a sender address in the /etc/postfix/sender_login file - is outside the design goals of Postfix and thus cannot be considered a Postfix vulnerability"}, {"lang": "es", "value": "** EN DISPUTA ** Un determinado paquete Postfix versi\u00f3n 2.10.1-7, podr\u00eda permitir a un atacante enviar un correo electr\u00f3nico desde un remitente de aspecto arbitrario por medio de un ataque de Homoglifo, como es demostrado por la similitud de \\xce\\xbf con el car\u00e1cter \"o\". Esto es potencialmente relevante cuando es usada la funcionalidad /etc/postfix/sender_login, porque un mensaje saliente falso que usa una direcci\u00f3n de remitente configurada es bloqueado con un mensaje de error \"Sender address rejected: not logged in\", pero un mensaje saliente falso que usa un homoglifo de una direcci\u00f3n de remitente configurada no es bloqueado. NOTA: Algunos terceros sostienen que cualquier bloqueo omitido de mensajes salientes falsos - excepto por coincidencias exactas con una direcci\u00f3n del remitente en el archivo de /etc/postfix/sender_login - est\u00e1 fuera de los objetivos de dise\u00f1o de Postfix y, por lo tanto, no puede ser considerada una vulnerabilidad de Postfix."}], "id": "CVE-2020-12063", "lastModified": "2024-11-21T04:59:12.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-24T12:15:12.877", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/04/23/12"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/04/23/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/04/23/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/04/23/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "postfix: an attacker may send an email from an arbitrary-looking sender via a homoglyph attack", "id": "1848850", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848850"}, "csaw": false, "cvss3": {"cvss3_base_score": "0.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "status": "draft"}, "cwe": "CWE-345", "details": ["A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \\xce\\xbf to the 'o' character. This is potentially relevant when the /etc/postfix/sender_login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a \"Sender address rejected: not logged in\" error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked. NOTE: some third parties argue that any missed blocking of spoofed outbound messages - except for exact matches to a sender address in the /etc/postfix/sender_login file - is outside the design goals of Postfix and thus cannot be considered a Postfix vulnerability", "For some of the Postfix configurations, the remote user can send e-mails pretending to be someone else (or even using non-existing user name with some homoglyph characters). One of the discussed problems that Postfix params \"smtpd_sender_login_maps\" and \"smtpd_sender_restrictions\" looks useless because works only for authorized users and attacker could get round with anonymous sending e-mails to any local user. The described issue should not be considered as security issue, so it is \"DISPUTED\"."], "mitigation": {"lang": "en:us", "value": "The described problem could be prevented with the usage of the postfix configuration param check_sender_access (part of smtpd_sender_restrictions) for domain names being used for receiving e-mails with param reject_unverified_sender for each of these domains.\nThe related part of postfix configuration example:\nsmtpd_sender_login_maps = texthash:/etc/postfix/sender_login\nsmtpd_sender_restrictions =\ncheck_sender_access texthash:/etc/postfix/sender_access\nreject_sender_login_mismatch\nreject_unknown_sender_domain\nand the content of the file /etc/postfix/sender_access would be:\nmail.mydomain.com reject_unverified_sender\nand the content of the file /etc/postfix/sender_login would be:\nusername@mail.mydomain.com username@mail.mydomain.com"}, "name": "CVE-2020-12063", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "postfix", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "postfix", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "postfix", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "postfix", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2020-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-12063\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-12063\nhttps://seclists.org/oss-sec/2020/q2/59\nhttps://seclists.org/oss-sec/2020/q2/65\nhttps://seclists.org/oss-sec/2020/q2/66"], "statement": "Red Hat Product Security does not consider this to be a vulnerability. The described problem is problem of possibly incorrect Postfix configuration, but not bug of Postfix itself. Both no way to totally resolve the described in CVE problem, because it is how SMTP protocol designed. Means that SMTP protocol allows some SPAM or forging e-mails and no way to prevent it totally, but if configuring Postfix well, then possible to make it more strict (less SPAM and less forging)."}