Proofpoint Email Protection URL Rewrite Bypass via Invalid URL Scheme, CVE-2021-31608
Advisory ID: PFPT-SA-2021-0011
Proofpoint Enterprise Protection (PPS/PoD) contains a vulnerability that could allow an attacker to deliver an email message without the URL being rewritten. The vulnerability exists in certain situations where the URL rewrite feature fails to match a URL with an invalid scheme that browsers auto-correct into a valid scheme. A successful attack results in the URLs being delivered to end users without being rewritten, but end users would need to click the URLs to be impacted. Exploitation is possible with Outlook for Windows and may be possible with other email clients. Further, this vulnerability only bypasses the URL rewrite and click-time protection control; other controls within Proofpoint Enterprise Protection and Targeted Attack Protection, such as spam and impostor filtering, Proofpoint Dynamic Reputation, and file-based checks on attachments, etc. are unaffected.
Vulnerability Information
This vulnerability is identified by CVE-2021-31608.
This vulnerability has been assigned a CVSS score of 7.4:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Fixed Software
Proofpoint has released fixes for releases 8.13 (LTS) and 8.16 and newer.
Proofpoint customers can view the applicable release details for their deployment in the Proofpoint Community.
Proofpoint on Demand Customers
No action is required. Applicable fixes have already been deployed by Proofpoint.
Proofpoint on-premises Customers
No action is required for Enterprise Protection (PPS) Hardware and Virtual Appliance customers, running supported versions that are configured to deploy releases automatically. Applicable fixes have been automatically deployed.
For on-premise environments that are configured to manually apply releases, install the applicable release as noted above.
No mail flow will be interrupted while updates are applied.
For any questions or concerns, please contact Proofpoint Support.
URL
https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2021-0011
Revision History
| Version | Description | Section | Date |
| 1.0 | Initial release | November 12, 2021 |
Acknowledgements
Proofpoint would like to thank Alexandro Calò of Horizon Security for their assistance.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. PROOFPOINT RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for authorized subscribers to Proofpoint products and services.