A group of German academics said they discovered more than 40 security flaws in the implementation of the STARTTLS feature in today’s most popular email clients and email servers.
Also known as Opportunistic TLS, STARTTLS refers to a set of protocol extensions used by email clients and servers to upgrade older email protocols like POP3, IMAP, and SMTP from sending data via a plaintext connection to a secure TLS-encrypted channel.
Developed in the late 90s, STARTTLS worked by checking if a connection could be set up via TLS and then negotiating the TLS connection with all involved parties before sending the email data.
Although the entire STARTTLS negotiation process was fragile and prone to errors, STARTTLS came at a time when there was no broad support for encrypted connections in email clients and email servers. Lacking better alternatives at the time, most users and servers admins chose to enable STARTTLS as a temporary solution until TLS support got broader adoption across the internet.
Today, things have changed. Almost all major email clients and email servers support a pure TLS-only mode where all old protocols like POP3, IMAP, and SMTP are funneled by default via an encrypted channel that safeguards email communications from tampering or wiretapping, with email clients refusing to send emails if a secure TLS connection can’t be established.
However, there are still millions of email clients and hundreds of thousands of email servers where STARTTLS is supported and still enabled.
Users advised to move from STARTTLS to TLS-only modes
In a research project presented at the USENIX 2021 security conference last week, academics said they found more than 40 vulnerabilities in STARTTLS client and server implementations that could be abused to downgrade STARTTLS connections to plaintext forms, intercept email communications, steal passwords, or tamper with email inboxes.
While these attacks required a MitM (Man/Meddler-in-the-Middle) position in order to interact with the STARTTLS initial negotiation process, the research team said that “these vulnerabilities are so common that we recommend to avoid using STARTTLS when possible” and that users and administrators should move to update their clients and servers to using TLS-only connections as soon as possible.
The good news is that the researchers have spent the past few months working with email client and server vendors to patch the 40+ vulnerabilities they discovered.
While users have the option to apply these patches and continue using STARTTLS to be safe from attacks, researchers advise that users update their client and server settings and set TLS-only as the default email communication security setting by default, something that other security experts have also been recommending since 2014 already.
Below is a summary of the issues discovered by the research team and the affected email clients and email servers.
Summary of STARTTLS client vulnerabilities
Response Injection (Buffering)
ProductProtocolStatusLinksApple Mail (macOS)SMTP/POP3/IMAPFixed in macOS High Sierra 10.13.6/Big Sur 11.4CVE-2020-9941, CVE-2021-30696Apple Mail (iOS/iPadOS)SMTP/POP3/IMAPFixed in iOS/iPadOS 14.0CVE-2020-9941Mozilla ThunderbirdIMAPFixed in 78.7.0CVE-2020-15685, Vendor advisory, Bug report (restricted)Claws MailSMTP/POP3/IMAPFixed in 3.17.6 for SMTP/POP3, See libEtPan for IMAPCVE-2020-15917MuttIMAP/SMTP/POP3Fixed in 1.14.4CVE-2020-14954NeoMuttIMAP/SMPT/POP3Fixed in 2020-06-19Commit/Patch, see also CVE-2020-14954EvolutionSMTP/POP3Fixed in 3.36.4 (evolution-data-server)CVE-2020-14928LibEtPan (Mail Framework for C Language)IMAP/SMTP/POP3Fixed in repository, unreleasedCVE-2020-15953Exim (MTA sending)SMTPUnfixed (reported privately)–Gmail (iOS/iPadOS)SMTP/IMAPUnfixed (reported privately)–Mail.ru, MyMailSMTPUnfixed (reported privately, report closed as not applicable)–YandexSMTP/IMAPUnfixed (reported privately)–PHP (stream_socket_enable_crypto)SMTP/POP3/IMAPUnfixedBug report (private)
Negotiation and Tampering bugs
ProductDescriptionProtocolStatusLinksGmail (Android)Leak of emailsIMAPFixed (retested in 2021.07.11.387440246)–Gmail (Go)Leak of emailsIMAPFixed (retested in 2020.10.15.341102866)–Samsung EmailLeak of emailsIMAPFixed (untested)–AlpineUntagged responses accepted before STARTTLSIMAPUnknown (reported via email)–TrojitáUntagged responses accepted before STARTTLSIMAPUnknownBug reportMozilla ThunderbirdServer responses prior to STARTTLS processedIMAPFixed in 78.12CVE-2021-29969, Vendor advisoryKMailSTARTTLS ignored when “Server requires authentication” not checkedSMTPUnknownBug reportSylpheedSTARTTLS strippingIMAPUnknownBug reportOfflineIMAPSTARTTLS strippingIMAPUnknownBug reportGMX / Web.de Mail CollectorSTARTTLS strippingPOP3/IMAPFixed–Mail.ru, MyMail, Email app for GmailSTARTTLS StrippingSMTPUnfixed (report closed as not applicable)–
Avoiding Encryption via IMAP PREAUTH
ProductStatusLinksApple Mail (iOS/iPadOS)Reported February 2020, Re-reported August 2021, Unfixed–Mozilla ThunderbirdFixed in 68.9.0CVE-2020-12398AlpineFixed in 2.23CVE-2020-14929, CommitMuttFixed in 1.14.3CVE-2020-14093NeoMuttFixed in Release 2020-06-19Commit/Patch, see also CVE-2020-14093GMX / Web.de Mail CollectorFixed–
ProductProtocolDescriptionStatusLinksOfflineIMAPIMAPAccepts untrusted certificatesUnknownBug reportGMX / Web.de Mail CollectorPOP3/IMAPAccepts untrusted certificatesStill allows self-signed–YandexSMTP/IMAPAccepts untrusted certificatesUnknown (report closed as not eligible)–Mail.ru, MyMailSMTPAccepts untrusted certificates (SMTP, IMAP)Unknown (report closed as duplicate)–Outlook (Android & iOS)SMTP/IMAPCertificate hostname not checked (SMTP, IMAP)Unknown (report closed as low/medium severity)–GearySMTP/IMAPAccepting an untrusted certificate creates a permanent trust exception for all certificatesFixed in 3.36.3CVE-2020-24661TrojitáSMTPAccepts untrusted certificatesFixed in repository (77ddd5d4) (no official releases)CVE-2020-15047Ruby Net::SMTPSMTPOnly checks hostname, ignores certificate signatureFixed in 2.7.2Bug report
ProductProtocolDescriptionStatusLinksAlpineIMAPCrash when LIST or LSUB send before STARTTLSUnknown (reported via email)–BalsaIMAPNullptr dereference when TLS required and PREAUTH sendFixed in 2.5.10CVE-2020-16118BalsaIMAPStack overflow due to repeated BAD answer to CAPABILITY commandFixed in 2.6.2 (no release yet)Bug ReportBalsaIMAPCrash on untagged EXPUNGE responseFixed in commit 26e554ac (no release yet)Bug ReportEvolutionIMAPInvalid free when no auth mechanisms in greetingFixed in >3.35.91CVE-2020-16117
ProductProtocolDescriptionStatusLinksKMailPOP3Setup wizard in POP3 defaults to unencrypted connectionsFixed in 20.08Bug ReportKMailPOP3Config shows “encrypted”, but it isn’tFixedCVE-2020-15954KMailSMTP/IMAPDialog loop “forces” the user to accept invalid certificatesUnknownBug ReportMozilla ThunderbirdPOP3Infinite loop when POP3 server replies with -ERR to STLS commandUnknownBug ReportTrojitáSMTP/IMAPHard to choose implicit TLS due to typo (German)FixedBug ReportTrojitáSMTPSMTP defaults to plaintext on port 587UnknownBug Report
Summary of STARTTLS server vulnerabilities
Command Injection (Buffering)
ProductProtocolStatusLinksNemesis (used by GMX / Web.de, provider)POP3/IMAPFixed (reported privately)–Interia.pl (provider)SMTP/POP3/IMAPFixed (reported privately)–Yahoo (only MTA-to-MTA, provider)SMTPUnfixed (reported privately)–Yandex (provider)SMTP/POP3/IMAPUnfixed (reported privately)–s/qmailSMTPFixed in 4.0.09CVE-2020-15955CoremailSMTP/POP3/IMAPUnfixed (reported via CERT)–CitadelSMTP/POP3/IMAPUnfixedCVE-2020-29547, Bug reportGordano GMSPOP3/IMAPUnfixedCVE-2021-37844recvmailSMTPFixed in 3.1.2 (reported privately)–SmarterMailPOP3Fixed in Build 7537CVE-2020-29548Burp CollaboratorSMTPFixed in 2020.9.2Bug report, Vendor release notesDovecotSMTPFixed in 184.108.40.206 and 2.3.15CVE-2021-33515Mercury/32SMTP/POP3/IMAPFixed in 4.90CVE-2021-33487QMail Toaster (1.4.1)SMTPProject discontinued–CourierPOP3Fixed in 1.1.5 (reported privately), known since 2013Discussion from 2013, CVE-2021-38084, FixPHP (stream_socket_enable_crypto)SMTP/POP3/IMAPUnfixedBug report (private)
ProductProtocolDescriptionStatusLinksNemesis (used by GMX / Web.de, provider)SMTPAdvertises authentication before STARTTLS even though it is disabledFixed (reported via Bugbounty)–
The post STARTTLS implementations in email clients & servers plagued by 40+ vulnerabilities appeared first on The Record by Recorded Future.
Source: Read More (The Record by Recorded Future)