CVE-2020-15953: Buffering issues with STARTTLS in IMAP · Issue #386 · dinhvh/libetpan

We found a STARTTLS issue in libEtPan which affects IMAP (and probably other protocols.)

When the server responds with its "let’s do TLS now message", e.g. A OK begin TLS\r\n, libEtPan will read any data after the \r\n and save it into some internal buffer for later processing. This is problematic, because a MITM attacker can inject arbitrary responses. I havn’t tested it to this extent, but I suspect that this is enough to forge entire mailboxes even though STARTTLS is used.

There is a nice blogpost by Wietse Venema about a “command injection” in postfix (http://www.postfix.org/CVE-2011-0411.html). What we have here is the problem in reverse, i.e. not a command injection, but a “response injection.”

Example trace to give an intuition:

C: A STARTTLS
S: A OK begin TLS
   B OK answer future login command // injected response
<--- TLS --->
C: B login user pass
// here, libEtPan interprets the injected "B OK" response and proceeds...
C: C noop
...

An attacker can probably inject more responses and (in the worst case) mimic a whole session.

There are (from my view) three possible fixes: 1) discard any remaining data after stls, 2) shovel the extra data into the TLS layer (where it belongs), and 3) error out as this is clearly a protocol violation.

The (maybe silly or even wrong) commit in duesee@5462750#diff-b01e5693616d9ee0714273a3491bc713 seems to fix the issue (please ignore the .idea folder :P)