Critical Vulnerability in Hosted Email Services Exposes Users to Spoofing Attacks
A newly discovered vulnerability in multiple hosted email services has raised significant concerns regarding email security. This vulnerability allows authenticated attackers to bypass sender identity verification mechanisms, enabling them to spoof emails and impersonate trusted senders. The implications of this flaw are far-reaching, potentially impacting millions of users and organizations worldwide.
Two primary vulnerabilities were identified that compromise the authentication and verification of email senders, weakening the protections provided by the Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM). The Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol, which builds on SPF and DKIM, also falls short in mitigating these risks. DMARC adds linkage to the author (FROM:) domain name, establishes policies for handling authentication failures, and provides reporting mechanisms to enhance domain protection against fraudulent emails. However, the discovered vulnerabilities allow an authenticated remote attacker to spoof the identity of a sender, exploiting the inadequacies in these protocols.
As specified in RFC 5321 #7.1, the SMTP protocol inherently lacks security measures to prevent sender identity spoofing within various parts of the SMTP transaction. Although SPF and DKIM have evolved to address these issues, they are not foolproof. SPF records identify the IP networks permitted to send emails on behalf of a domain, while DKIM provides a digital signature that verifies specific parts of the SMTP-relayed message. DMARC, which combines these capabilities, aims to secure emails better by ensuring the cooperation of both email senders and receivers.
Researchers discovered that many hosted email services, which provide support for multiple domains, fail to adequately verify the trust relationship between authenticated users and allowed domains. As a result, authenticated attackers can spoof sender identities within the email Message Header, sending emails as if they were from any domain hosted by the provider, while authenticated as a user from a different domain.
Two specific vulnerabilities have been identified:
- CVE-2024-7208: This vulnerability allows authenticated senders to spoof the identity of a shared, hosted domain, bypassing security measures provided by DMARC (or SPF or DKIM) policies.
- CVE-2024-7209: This vulnerability exists in the use of shared SPF records in multi-tenant hosting providers, allowing attackers to exploit network authorization to spoof the sender’s email identity.
The potential consequences of this vulnerability are severe. Malicious actors can exploit this flaw to launch sophisticated phishing campaigns, distribute malware, and conduct various forms of fraud. The trust that users and organizations place in email communications could be severely undermined, leading to financial losses, data breaches, and reputational damage.
To address this critical vulnerability, swift action is required from both hosting providers and domain owners. Hosting providers must implement robust sender identity verification processes, ensuring that sender information aligns with authorized domain identities. This may involve using additional authentication mechanisms and stricter controls over shared resources.
Domain owners are advised to review and strengthen their DMARC policies, which provide a framework for email authentication, policy, and reporting. Additionally, they should consider using independent DKIM (DomainKeys Identified Mail) facilities to further enhance security.
