[Uta] Fwd: [oss-security] Requesting a CVE id for Trojitá, an e-mail client: SSL stripping
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 19 March 2014 22:11 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E65BE1A07FE for <uta@ietfa.amsl.com>; Wed, 19 Mar 2014 15:11:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.599
X-Spam-Level:
X-Spam-Status: No, score=-1.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0AlklzAUI7sX for <uta@ietfa.amsl.com>; Wed, 19 Mar 2014 15:11:32 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 3431F1A07D2 for <uta@ietf.org>; Wed, 19 Mar 2014 15:11:32 -0700 (PDT)
Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 4F4EFF984 for <uta@ietf.org>; Wed, 19 Mar 2014 18:11:22 -0400 (EDT)
Message-ID: <532A1600.8060209@fifthhorseman.net>
Date: Wed, 19 Mar 2014 18:11:12 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: "uta@ietf.org" <uta@ietf.org>
References: <8f661e38-7221-4b6a-839f-e94e2a093b4d@flaska.net>
In-Reply-To: <8f661e38-7221-4b6a-839f-e94e2a093b4d@flaska.net>
X-Enigmail-Version: 1.6
X-Forwarded-Message-Id: <8f661e38-7221-4b6a-839f-e94e2a093b4d@flaska.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="HBKlW1AO1OqhDDRF07vC7W19IqGd7DTgb"
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/RgGeja9GDKplm56e5hQ2sgBW8Cs
Subject: [Uta] Fwd: [oss-security] Requesting a CVE id for Trojitá, an e-mail client: SSL stripping
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 22:11:40 -0000
The message below was just sent to the oss-security list. It describes a protocol problem with the interaction between IMAP's PREAUTH mechanism and STARTTLS mechanism. The catch is in the intersection of two definitions: STARTTLS is defined as a command for IMAP's "Not Authenticated" state: https://tools.ietf.org/html/rfc3501#section-6.2.1 But an IMAP server can also start its communications with a "PREAUTH" response, which suggests that the client should be in the "Authenticated" state to begin with: https://tools.ietf.org/html/rfc3501#section-7.1.4 So if a client is configured to use STARTTLS, and it connects to an IMAP server on port 143, and that server (which could be an MITM) answers with "PREAUTH", the client might not even try to issue STARTTLS (indeed, the spec might not even allow it). further discussion here: http://thread.gmane.org/gmane.mail.imap.general/3427 note that IMAP-inside-TLS isn't vulnerable to this confusing situation. --dkg
--- Begin Message ---Hi folks, I would appreciate a Cc on responses as I'm not subscribed to this list. I would like to request a CVE for the following vulnerability: Summary ------- An SSL stripping vulnerability was discovered in Trojitá [1], a fast Qt IMAP e-mail client. *User's credentials are never leaked*, but if a user tries to send an e-mail, the automatic saving into the "sent" or "draft" folders could happen over a plaintext connection even if the user's preferences specify STARTTLS as a requirement. Background ---------- The IMAP protocol defines the STARTTLS command which is used to transparently upgrade a plaintext connection to an encrypted one using SSL/TLS. The STARTTLS command can only be issued in an unauthenticated state as per the IMAP's state machine. RFC 3501 also allows for a possibility of the connection jumping immediately into an authenticated state via the PREAUTH initial response. However, as the STARTTLS command cannot be issued once in the authenticated state, an attacker able to intercept and modify the network communication might trick the client into a state where the connection cannot be encrypted anymore. Affected versions ----------------- All versions of Trojitá up to 0.4 are vulnerable. The fix will be included in version 0.4.1 (to be released after the CVE gets assigned). Remedies -------- Configurations which use the SSL/TLS form the very beginning (e.g. the connections using port 993) are secure and not vulnerable. Possible impact --------------- The user's credentials will *never* be transmitted over a plaintext connection even in presence of this attack. Because Trojitá proceeded to use the connection without STARTTLS in face of PREAUTH, certain data might be leaked to the attacker. The only example which we were able to identify is the full content of a message which the user attempts to save to their "Sent" folder while trying to send a mail. We don't believe that any other data could be leaked. Again, user's credentials will *not* be leaked as they are never transmitted under this scenario. Acknowledgement --------------- Thanks to Arnt Gulbrandsen on the imap-protocol ML for asking what happens when we're configured to request STARTTLS and a PREAUTH is received, and to Michael M Slusarz for starting that discussion. [1] http://trojita.flaska.net/ With kind regards, Jan -- Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/--- End Message ---
- [Uta] Fwd: [oss-security] Requesting a CVE id for… Daniel Kahn Gillmor