Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 19 Mar 2014 19:52:04 +0100
From: Jan Kundrát <jkt@...ska.net>
To: <oss-security@...ts.openwall.com>
Subject: Requesting a CVE id for Trojitá, an e-mail client: SSL stripping

Hi folks, I would appreciate a Cc on responses as I'm not subscribed to 
this list. I would like to request a CVE for the following vulnerability:

Summary
-------

An SSL stripping vulnerability was discovered in Trojitá [1], a fast Qt 
IMAP e-mail client. *User's credentials are never leaked*, but if a user 
tries to send an e-mail, the automatic saving into the "sent" or "draft" 
folders could happen over a plaintext connection even if the user's 
preferences specify STARTTLS as a requirement.

Background
----------

The IMAP protocol defines the STARTTLS command which is used to 
transparently upgrade a plaintext connection to an encrypted one using 
SSL/TLS. The STARTTLS command can only be issued in an unauthenticated 
state as per the IMAP's state machine.

RFC 3501 also allows for a possibility of the connection jumping 
immediately into an authenticated state via the PREAUTH initial response. 
However, as the STARTTLS command cannot be issued once in the authenticated 
state, an attacker able to intercept and modify the network communication 
might trick the client into a state where the connection cannot be 
encrypted anymore.

Affected versions
-----------------

All versions of Trojitá up to 0.4 are vulnerable.

The fix will be included in version 0.4.1 (to be released after the CVE 
gets assigned).

Remedies
--------

Configurations which use the SSL/TLS form the very beginning (e.g. the 
connections using port 993) are secure and not vulnerable.

Possible impact
---------------

The user's credentials will *never* be transmitted over a plaintext 
connection even in presence of this attack.

Because Trojitá proceeded to use the connection without STARTTLS in face of 
PREAUTH, certain data might be leaked to the attacker. The only example 
which we were able to identify is the full content of a message which the 
user attempts to save to their "Sent" folder while trying to send a mail.

We don't believe that any other data could be leaked. Again, user's 
credentials will *not* be leaked as they are never transmitted under this 
scenario.

Acknowledgement
---------------

Thanks to Arnt Gulbrandsen on the imap-protocol ML for asking what happens 
when we're configured to request STARTTLS and a PREAUTH is received, and to 
Michael M Slusarz for starting that discussion.

[1] http://trojita.flaska.net/

With kind regards,
Jan

-- 
Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.