Go-Guerrilla SMTP Daemon PROXY Command IP Spoofing Vulnerability

A vulnerability in Go-Guerrilla SMTP Daemon versions prior to 1.6.7 allows clients to spoof their IP addresses when the PROXY command is used. This issue arises because, with ProxyOn enabled, the server accepts multiple PROXY commands, with later ones overriding earlier ones. The PROXY protocol only permits one initial header, and any subsequent commands can be manipulated by the client. As a result, the server may incorrectly attribute the spoofed IP as coming from the reverse proxy.

Impact

This vulnerability allows for IP address spoofing in the RemoteIP field, which could be exploited in certain scenarios, although it may have less practical impact on an MTA compared to a web server.

Reproduction

To reproduce this vulnerability, enable the ProxyOn option in the Go-Guerrilla SMTP Daemon configuration. Once the server is running with this setting, send multiple PROXY commands. The server will accept all of them, but only the last one will be processed, allowing for manipulation of the RemoteIP field.

Remediation

Users can upgrade to Go-Guerrilla SMTP Daemon version 1.6.7 or later, where this vulnerability has been fixed.