Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-15953: Buffering issues with STARTTLS in IMAP · Issue #386 · dinhvh/libetpan

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a “begin TLS” response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka “response injection.”

CVE
#ssl

We found a STARTTLS issue in libEtPan which affects IMAP (and probably other protocols.)

When the server responds with its "let’s do TLS now message", e.g. A OK begin TLS\r\n, libEtPan will read any data after the \r\n and save it into some internal buffer for later processing. This is problematic, because a MITM attacker can inject arbitrary responses. I havn’t tested it to this extent, but I suspect that this is enough to forge entire mailboxes even though STARTTLS is used.

There is a nice blogpost by Wietse Venema about a “command injection” in postfix (http://www.postfix.org/CVE-2011-0411.html). What we have here is the problem in reverse, i.e. not a command injection, but a “response injection.”

Example trace to give an intuition:

C: A STARTTLS
S: A OK begin TLS
   B OK answer future login command // injected response
<--- TLS --->
C: B login user pass
// here, libEtPan interprets the injected "B OK" response and proceeds...
C: C noop
...

An attacker can probably inject more responses and (in the worst case) mimic a whole session.

There are (from my view) three possible fixes: 1) discard any remaining data after stls, 2) shovel the extra data into the TLS layer (where it belongs), and 3) error out as this is clearly a protocol violation.

The (maybe silly or even wrong) commit in duesee@5462750#diff-b01e5693616d9ee0714273a3491bc713 seems to fix the issue (please ignore the .idea folder :P)

Related news

CVE-2020-29547

An issue was discovered in Citadel through webcit-926. Meddler-in-the-middle attackers can pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure.

CVE-2021-43766: Server processes unencrypted bytes from man-in-the-middle

Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. This is similar to CVE-2021-23214 for PostgreSQL.

CVE-2021-39272: NO STARTTLS

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

CVE-2021-38370: NO STARTTLS

In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907