It was observed that the remote mail service allows plaintext command injection while negotiating an encrypted communications channel, when received following responses for respective commands sent in single packets,
Request:
nessus1 STARTTLS\r\nessus2 CAPABILITY\r\n
Response:
The following two responses were received.
nessus1 OK begin TLS negotiation now
nessus2 OK CAPABILITY completed
Request:
STLS\r\nCAPA\r\n
Response:
+OK Begin TLS negotiation
+OK Capability list follows
Their recommend is following
Are there any resolutions for this?It is recommended to contact the vendor and check for an update considering the following.
-The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a clear text command that is processed after TLS is in place, related to a "plaintext command injection" attack.
-Also Postfix stable release 2.10.0 is available. As of now, Postfix 2.6 is no longer updated.
