Headline
CVE-2020-29547
An issue was discovered in Citadel through webcit-926. Meddler-in-the-middle attackers can pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure.
Hello,
during our research in e-mail servers at Münster University of Applied Sciences, we found some security issues in the STARTTLS implementation of the current version of Citadel.
Description
These issues potentially allow a meddler-in-the-middle (MitM) attacker to leak user credentials by injecting plaintext commands into the encrypted TLS stream. This vulnerability was first described by Wietse Venema for Postfix in 2011 (http://www.postfix.org/CVE-2011-0411.html). We found that Citadel is vulnerable to this kind of injection in IMAP, POP3, and SMTP. Basically, by injecting plaintext commands between the STARTTLS command an the TLS Handshake, a MitM can cause theirs plaintext commands to be interpreted in the encrypted context. See these SMTP trace from Citadel for example:
Normal:
S: 220 ebb7034d4bf5 ESMTP Citadel server ready.
C: EHLO buftest
S: 250-Hello buftest (172.17.0.1 [172.17.0.1])
S: 250-HELP
S: 250-SIZE 10485760
S: 250-STARTTLS
S: 250-AUTH LOGIN PLAIN
S: 250-AUTH=LOGIN PLAIN
S: 250 8BITMIME
C: STARTTLS
S: 220 Begin TLS negotiation now
<----- TLS Handshake ----->
C: QUIT
S: 221 Goodbye…
With command injection:
S: 220 ebb7034d4bf5 ESMTP Citadel server ready.
C: EHLO buftest
S: 250-Hello buftest (172.17.0.1 [172.17.0.1])
S: 250-HELP
S: 250-SIZE 10485760
S: 250-STARTTLS
S: 250-AUTH LOGIN PLAIN
S: 250-AUTH=LOGIN PLAIN
S: 250 8BITMIME
C: STARTTLS
A: NOOP
S: 220 Begin TLS negotiation now
<----- TLS Handshake ----->
S: 250 NOOP
- Command injection here!
As you can see, the attacker injected NOOP command (A: NOOP) is interpreted by citadel inside the encrypted context, even though it was sent in plain. The same is possible for POP3 and IMAP.
Proof of Concept
As this is a vulnerability affecting multiple vendors/servers, I can currently not publicly disclose our test script for this. However, I can send it to the developers privately if requested.
Security Impact
For SMTP and IMAP, this vulnerability can be used to leak user credentials to an attacker, e.g., by enclosing them into an e-mail send to the attacker by injecting the MAIL FROM, RCPT TO, and DATA verbs into the encrypted session. Additionally, this vulnerability can be used for cross-protocol attacks on server sharing a TLS certificate with citadel. In IMAP this can, for example, be used to host HTTPS without actually attacking TLS. In POP3, fortunately, the impact is currently limited, but this vulnerability might be used in more elaborate attacks.
Best regards,
Murgi
Related news
Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. This is similar to CVE-2021-23214 for PostgreSQL.
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS.
LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."