Mailsploit Vulnerabilities Lets Threat Actors Send Spoofed Emails

A set of vulnerabilities dubbed “Mailsploit” could allow a threat actor to spoof email identities and, in some cases, run malicious code on the user’s device. The vulnerabilities exist in how email servers interpret email addresses encoded with RFC-1342, a standard adopted in 1992 to automatically convert non-ASCII characters to ASCII characters to avoid errors. Security researcher Sabri Haddouche discovered that a large number of email clients would take an RFC-1342 encoded string and decode it to the non-ASCII state, but would not sanitize it afterwards to check for malicious code. Additionally, if the decoded email string contained a null-byte or two or more email addresses, the email client would only read the email address before the null-byte or the first valid address, allowing a threat actor to create a valid email address whose username is actually an RFC-1342-encoded string. When the email client parses these strings, they will only read the first email, ignoring the true email domain. The email spoofing capability circumvents all modern anti-spoofing protection mechanisms, including DMARC and various spam filters, effectively allowing threat actors to send emails with spoofed identities that make it much more difficult for both users and email servers to detect fakes, and makes phishing emails harder to identify. In some cases, these flaws also allow threat actors to hide multiple email addresses inside the email’s “From:” field, also allowing it to contain malicious code. Email clients that inadequately sanitize the decoded string may execute and run the malicious code. Haddouche contacted all vulnerable email clients and web services earlier this year when he discovered the vulnerabilities; however, only eight of the 33 have issued patches. Mozilla and Opera do not plan to issue a patch as they consider it a server-side vulnerability. The NJCCIC recommends all users and administrators review Haddouche’s dedicated website on Mailsploit and the Google Doc spreadsheet of vulnerable email servers and web clients and apply the necessary update if, and as soon as, a patch becomes available. Additionally, use an end-to-end encrypted messenger or Pretty Good Privacy/GNU Privacy Guard (PGP/GPG) to verify identities and encrypt email contents.