Split Tunnel SMTP Exploit Bypasses Email Security GatewaysAttackers can inject malicious payloads directly to email server via email encryption appliances, Securolytics says.
Many organizations, especially in sectors like healthcare, use onsite or hosted encryption appliances to protect their email against compromise. That could be a problem.
Security vendor Securolytics this week claimed it has devised an exploit that allows an attacker to bypass an organization's email security gateway and directly unload malware on the email server by using the encryption device as a backdoor.
The so-called Split Tunnel SMTP Exploit works against pretty much any email encryption device—virtual, hosted or in-house—that accepts inbound SMTP and there's very little anyone can do to stop it, according to the company. Attackers can use the exploit to inject any payload that supports MIME encoding including ransomware, macro viruses and password protected ZIP files.
The exploit, says Vikas Singla, CEO of Securolytics, takes advantage of the fact that an email encryption appliance has a publicly accessible IP address and is able to receive and transfer emails. Such devices are typically deployed beyond the enterprise firewall and are often used in conjunction with an email security gateway.
Singla says that during an engagement at a healthcare customer site Securolytics discovered an attacker could completely bypass the email security gateway by connecting directly to the encryption appliance. The appliance simply decrypts and routes the emails it receives to the email server without checking it for malware.
So, an attacker who is able to discover the publicly accessible IP address of an encryption gateway can send malware-laden messages directly to the email server through the encryption gateway, without touching the security appliance at all, Singla says.
In some configurations, the email encryption appliance is deployed in front of the security gateway to decrypt encrypted mail, and to forward it to the security gateway, which then inspects the decrypted email for malware before sending it to the email server.
Even in such situations, an attacker who is able to connect directly to the encryption appliance can inject a rogue message into it. When the security gateway receives the message and inspects it for malware, it will typically do so using the encryption device's IP address and not the original sender's IP address, Singla says. This gives an opening for an attacker to get messages containing malicious payloads and links past the email security gateway.
Singla says Securolytics tested the exploit against two organizations and was able to bypass email security controls in both cases and have malicious email reach the email server. Because Securolytics used an invalid mailbox for both tests, the target server bounced back the emails.
One of the simulated attacks involved a 400-employee hospital using Microsoft Exchange, an onsite email encryption product, and an email security gateway appliance.
Securolytics researchers used an automated script to map out the target organization's email infrastructure and the delivery routes for email. It then used a brute force attack to find the encryption appliance's IP address. Once the researchers had the information they used another scanner to see if any of the uncovered mail transfer agents had Port 25 open.
The researchers first sent an email with a benign payload to an invalid address within the target's domain to figure out how the security gateway and internal mail servers handled incoming mail. They then sent a message with a malicious payload to verify the security gateway was working properly. Finally, they resent the same message with the same payload and from the same IP address, but directed it to the encryption appliance instead.
The device received the malicious email, accepted it and forwarded the mail directly to the email server which then attempted to deliver it to the invalid inbox before bouncing it back.
The same thing happened when Securolytics carried out the simulated attack against an 11,500-employee healthcare system. In this case, the organization had deployed Office 365 behind a hosted email encryption device. Even with Microsoft's Exchange Online Protection turned on the organization was unable to prevent a malicious email sent directly to the encryption appliance from reaching the mail server.
The Split Tunnel SMPT attack does not work if port 25 is closed. "The two attacks we show require port 25 to be open on the target's [Mail Transfer Appliance]," says Singla.
"Our initial thought was that organizations could close port 25," he says. "But we found the encryption server requires, by design, port 25 to be open so they can receive email from other encryption MTAs." Singla says. Securolytics is now testing to see if the attack works for configurations where the encryption appliance sits behind the security gateway.
The only way for organizations using encryption appliances to mitigate the threat is to disable transparent gateway-to-gateway encryption, according to Securolytics. Email encryption product vendors often use transparent encryption to make it easy for organizations to send and receive encrypted emails without needing to modify anything.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio