{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/maddy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Maddy Mail Server"],"_cs_severities":["high"],"_cs_tags":["ldap-injection","authentication-bypass","information-disclosure","maddy","smtp","imap"],"_cs_type":"advisory","_cs_vendors":["Maddy"],"content_html":"\u003cp\u003eMaddy is vulnerable to LDAP injection due to the \u003ccode\u003eauth.ldap\u003c/code\u003e module constructing LDAP search filters and DN strings by directly interpolating user-supplied usernames without proper escaping. This vulnerability, present in versions prior to 0.9.3, allows an attacker to inject arbitrary LDAP filter expressions through the username field of the SMTP submission (AUTH PLAIN) or IMAP LOGIN interfaces. Specifically, the \u003ccode\u003estrings.ReplaceAll()\u003c/code\u003e function is used to insert the username into LDAP queries without sanitization. Successful exploitation enables identity spoofing, LDAP directory enumeration, and attribute value extraction. The vulnerable code is located in \u003ccode\u003einternal/auth/ldap/ldap.go\u003c/code\u003e within the \u003ccode\u003eLookup()\u003c/code\u003e and \u003ccode\u003eAuthPlain()\u003c/code\u003e functions. This vulnerability is identified as CVE-2026-40193.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Maddy instance configured to use LDAP authentication with the \u003ccode\u003eauth.ldap\u003c/code\u003e module and either the \u003ccode\u003efilter\u003c/code\u003e or \u003ccode\u003edn_template\u003c/code\u003e directive enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to the Maddy instance's SMTP submission port (587) or IMAP port (993/143).\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the authentication process (AUTH PLAIN for SMTP, LOGIN for IMAP).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious username containing LDAP injection payloads (e.g., \u003ccode\u003euser)(attribute=value*)\u003c/code\u003e) to bypass authentication or extract information.\u003c/li\u003e\n\u003cli\u003eThe crafted username is passed to the vulnerable \u003ccode\u003estrings.ReplaceAll()\u003c/code\u003e function in \u003ccode\u003einternal/auth/ldap/ldap.go\u003c/code\u003e without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe unsanitized username is incorporated into an LDAP query or DN string, modifying the query's behavior.\u003c/li\u003e\n\u003cli\u003eIf the injected filter allows, the attacker successfully authenticates as another user or extracts sensitive information via boolean-based blind injection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages successful LDAP injection to spoof identities, enumerate the LDAP directory, or exfiltrate user attributes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to significant consequences. Attackers can spoof identities and potentially gain unauthorized access to resources. LDAP directory enumeration allows attackers to discover sensitive information about users and the directory structure. The ability to extract attribute values, including password hashes, further compromises the security of the system. All maddy deployments using the \u003ccode\u003eauth.ldap\u003c/code\u003e module with the \u003ccode\u003efilter\u003c/code\u003e or \u003ccode\u003edn_template\u003c/code\u003e directive are vulnerable, affecting both SMTP submission and IMAP authentication. This issue is tracked as CVE-2026-40193 and has a high severity rating.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Maddy version 0.9.3 or later to patch the vulnerability described in GHSA-5835-4gvc-32pc.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Maddy LDAP Injection Attempt via SMTP AUTH\u0026quot; to identify attempted exploitation via SMTP AUTH PLAIN.\u003c/li\u003e\n\u003cli\u003eEnable detailed logging on the Maddy server, specifically capturing the usernames used during SMTP AUTH and IMAP LOGIN attempts, to facilitate investigation of potential LDAP injection attacks.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider disabling the \u003ccode\u003eauth.ldap\u003c/code\u003e module or implementing input validation to sanitize usernames before they are used in LDAP queries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-maddy-ldap-injection/","summary":"Maddy Mail Server is vulnerable to LDAP injection via unsanitized username in the `auth.ldap` module, enabling identity spoofing, LDAP directory enumeration, and attribute value extraction by injecting arbitrary LDAP filter expressions through the username field in SMTP submission or IMAP LOGIN interfaces.","title":"Maddy Mail Server LDAP Filter Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-maddy-ldap-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Maddy","version":"https://jsonfeed.org/version/1.1"}