CVE-2023-51765: 
Linux Debian vulnerability analysis and mitigation

CVE-2023-51765 affects sendmail through version 8.17.2, allowing SMTP smuggling in certain configurations. The vulnerability was discovered in June 2023 by Timo Longin of SEC Consult. Remote attackers can exploit interpretation differences in SMTP protocol to inject email messages with a spoofed MAIL FROM address, allowing bypass of SPF protection mechanisms. This occurs because sendmail supports the '.' character sequence but some other popular email servers do not (SEC Consult Blog).

The vulnerability exploits differences in how email servers interpret the SMTP end-of-data sequence. Specifically, some servers accept a line-feed-only terminator (' . ') while others require the standard carriage-return/line-feed sequence (' . '). This discrepancy allows attackers to smuggle additional SMTP commands within the message data. The vulnerability has a CVSS v3.1 base score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to bypass SPF protection mechanisms and inject spoofed emails that appear to originate from legitimate domains. The attack can be particularly effective when targeting systems that use different interpretations of SMTP protocol specifications, potentially enabling sophisticated phishing campaigns that pass standard email authentication checks (SEC Consult Blog).

The vulnerability is resolved in sendmail version 8.18 and later versions with 'o' in srv_features, which enforces strict CR LF . CR LF as the end-of-data sequence as required by RFCs. For systems that cannot immediately upgrade, administrators can configure the srv_features option to require strict end-of-data sequence handling (Openwall).

The disclosure process of this vulnerability generated significant discussion in the security community. Some criticism was directed at the disclosure process, as several affected open-source projects were not directly notified before public disclosure. The vulnerability was later ranked 3rd place in the Portswigger Top 10 web hacking techniques of 2023 (SEC Consult Blog).