Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-29547

An issue was discovered in Citadel through webcit-926. Meddler-in-the-middle attackers can pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure.

CVE
#vulnerability#web#auth#ssl

Hello,

during our research in e-mail servers at Münster University of Applied Sciences, we found some security issues in the STARTTLS implementation of the current version of Citadel.

Description

These issues potentially allow a meddler-in-the-middle (MitM) attacker to leak user credentials by injecting plaintext commands into the encrypted TLS stream. This vulnerability was first described by Wietse Venema for Postfix in 2011 (http://www.postfix.org/CVE-2011-0411.html). We found that Citadel is vulnerable to this kind of injection in IMAP, POP3, and SMTP. Basically, by injecting plaintext commands between the STARTTLS command an the TLS Handshake, a MitM can cause theirs plaintext commands to be interpreted in the encrypted context. See these SMTP trace from Citadel for example:

Normal:
S: 220 ebb7034d4bf5 ESMTP Citadel server ready.
C: EHLO buftest
S: 250-Hello buftest (172.17.0.1 [172.17.0.1])
S: 250-HELP
S: 250-SIZE 10485760
S: 250-STARTTLS
S: 250-AUTH LOGIN PLAIN
S: 250-AUTH=LOGIN PLAIN
S: 250 8BITMIME
C: STARTTLS
S: 220 Begin TLS negotiation now
<----- TLS Handshake ----->
C: QUIT
S: 221 Goodbye…

With command injection:

S: 220 ebb7034d4bf5 ESMTP Citadel server ready.
C: EHLO buftest
S: 250-Hello buftest (172.17.0.1 [172.17.0.1])
S: 250-HELP
S: 250-SIZE 10485760
S: 250-STARTTLS
S: 250-AUTH LOGIN PLAIN
S: 250-AUTH=LOGIN PLAIN
S: 250 8BITMIME
C: STARTTLS
A: NOOP
S: 220 Begin TLS negotiation now
<----- TLS Handshake ----->
S: 250 NOOP

  • Command injection here!

As you can see, the attacker injected NOOP command (A: NOOP) is interpreted by citadel inside the encrypted context, even though it was sent in plain. The same is possible for POP3 and IMAP.

Proof of Concept

As this is a vulnerability affecting multiple vendors/servers, I can currently not publicly disclose our test script for this. However, I can send it to the developers privately if requested.

Security Impact

For SMTP and IMAP, this vulnerability can be used to leak user credentials to an attacker, e.g., by enclosing them into an e-mail send to the attacker by injecting the MAIL FROM, RCPT TO, and DATA verbs into the encrypted session. Additionally, this vulnerability can be used for cross-protocol attacks on server sharing a TLS certificate with citadel. In IMAP this can, for example, be used to host HTTPS without actually attacking TLS. In POP3, fortunately, the impact is currently limited, but this vulnerability might be used in more elaborate attacks.

Best regards,
Murgi

Related news

CVE-2021-43766: Server processes unencrypted bytes from man-in-the-middle

Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. This is similar to CVE-2021-23214 for PostgreSQL.

CVE-2021-39272: NO STARTTLS

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

CVE-2021-38370: NO STARTTLS

In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS.

CVE-2020-15953: Buffering issues with STARTTLS in IMAP · Issue #386 · dinhvh/libetpan

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907