| From 3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 Mon Sep 17 00:00:00 2001 |
| From: Kevin McCarthy <kevin@8t8.us> |
| Date: Sun, 14 Jun 2020 11:30:00 -0700 |
| Subject: [PATCH] Prevent possible IMAP MITM via PREAUTH response. |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| This is similar to CVE-2014-2567 and CVE-2020-12398. STARTTLS is not |
| allowed in the Authenticated state, so previously Mutt would |
| implicitly mark the connection as authenticated and skip any |
| encryption checking/enabling. |
| |
| No credentials are exposed, but it does allow messages to be sent to |
| an attacker, via postpone or fcc'ing for instance. |
| |
| Reuse the $ssl_starttls quadoption "in reverse" to prompt to abort the |
| connection if it is unencrypted. |
| |
| Thanks very much to Damian Poddebniak and Fabian Ising from the |
| Münster University of Applied Sciences for reporting this issue, and |
| their help in testing the fix. |
| |
| [Retrieved from: |
| https://gitlab.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01] |
| Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> |
| --- |
| imap/imap.c | 16 ++++++++++++++++ |
| 1 file changed, 16 insertions(+) |
| |
| diff --git a/imap/imap.c b/imap/imap.c |
| index 63362176..3ca10df4 100644 |
| --- a/imap/imap.c |
| +++ b/imap/imap.c |
| @@ -530,6 +530,22 @@ int imap_open_connection (IMAP_DATA* idata) |
| } |
| else if (ascii_strncasecmp ("* PREAUTH", idata->buf, 9) == 0) |
| { |
| +#if defined(USE_SSL) |
| + /* An unencrypted PREAUTH response is most likely a MITM attack. |
| + * Require a confirmation. */ |
| + if (!idata->conn->ssf) |
| + { |
| + if (option(OPTSSLFORCETLS) || |
| + (query_quadoption (OPT_SSLSTARTTLS, |
| + _("Abort unencrypted PREAUTH connection?")) != MUTT_NO)) |
| + { |
| + mutt_error _("Encrypted connection unavailable"); |
| + mutt_sleep (1); |
| + goto err_close_conn; |
| + } |
| + } |
| +#endif |
| + |
| idata->state = IMAP_AUTHENTICATED; |
| if (imap_check_capabilities (idata) != 0) |
| goto bail; |
| -- |
| GitLab |
| |