CVE-2021-43270
📋 TL;DR
This vulnerability in Datalust Seq.App.EmailPlus allows email notifications to be sent via unencrypted SMTP on port 25 when encryption on port 465 was intended. This exposes sensitive email content to interception during transmission. Organizations using affected versions of the Seq email notification app are impacted.
💻 Affected Systems
- Datalust Seq.App.EmailPlus (seq-app-htmlemail)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sensitive email content (including potentially authentication tokens, system alerts, or confidential data) is intercepted by attackers on the network, leading to data breaches or credential theft.
Likely Case
Email notifications containing system logs, alerts, or monitoring data are transmitted in cleartext, exposing operational information to network eavesdroppers.
If Mitigated
With proper network segmentation and monitoring, exposure is limited to internal network segments, reducing external attack surface.
🎯 Exploit Status
Exploitation requires network access to intercept SMTP traffic. No authentication bypass needed as it's a configuration/implementation flaw.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in later development versions and production releases
Vendor Advisory: https://github.com/datalust/seq-app-htmlemail/pull/93
Restart Required: Yes
Instructions:
1. Update to a non-vulnerable version of Seq.App.EmailPlus. 2. Restart the Seq service. 3. Verify email notifications are using encrypted SMTP (port 465 with TLS).
🔧 Temporary Workarounds
Force TLS SMTP Configuration
allManually configure email notifications to use SMTP with explicit TLS on port 465
Configure Seq email settings to use smtps://server:465 with TLS enabled
Disable Email Notifications
allTemporarily disable email notifications until patched
Disable email notification apps in Seq configuration
🧯 If You Can't Patch
- Implement network segmentation to isolate Seq server from untrusted networks
- Use network monitoring to detect cleartext SMTP traffic on port 25 from Seq servers
🔍 How to Verify
Check if Vulnerable:
Check Seq.App.EmailPlus version in Seq dashboard or configuration files for affected versionsCheck Version:
Check Seq dashboard → Apps → EmailPlus version or inspect Seq configuration filesVerify Fix Applied:
Verify email notifications are sent successfully using encrypted SMTP (port 465) and monitor network traffic for cleartext SMTP on port 25📡 Detection & Monitoring
Log Indicators:
- SMTP connection failures on port 465
- Email notification failures in Seq logs
Network Indicators:
- Cleartext SMTP traffic (port 25) originating from Seq servers
- Lack of TLS encryption on email notification traffic
SIEM Query:
source="seq" AND ("SMTP" OR "email") AND ("port 25" OR "cleartext")