diff options
Diffstat (limited to 'fetchmail-SA-2011-01.txt')
| -rw-r--r-- | fetchmail-SA-2011-01.txt | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/fetchmail-SA-2011-01.txt b/fetchmail-SA-2011-01.txt new file mode 100644 index 00000000..fc627f65 --- /dev/null +++ b/fetchmail-SA-2011-01.txt @@ -0,0 +1,132 @@ +fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode + +Topics: Denial of service in STARTTLS protocol phases + +Author: Matthias Andree +Version: XXX +Announced: XXX +Type: Unguarded blocking I/O can cause indefinite application hang +Impact: Denial of service +Danger: low + +CVE Name: +CVSSv2: +CVSS scores: + This is calculated without Environmental Score. +URL: http://www.fetchmail.info/fetchmail-SA-2011-01.txt +Project URL: http://www.fetchmail.info/ + +Affects: fetchmail releases 5.9.9 up to and including 6.3.19 + +Not affected: fetchmail release 6.3.20 and newer + +Corrected in: 2011-05-26 Git, among others, see commit + 7dc67b8cf06f74aa57525279940e180c99701314 + + 2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing) + + pending fetchmail 6.3.20 release tarball + + +0. Release history +================== + +2011-05-30 0.1 first draft (visible in Git and through oss-security) + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP3, IMAP, +ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. fetchmail supports SSL and TLS security layers +through the OpenSSL library, if enabled at compile time and if also +enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as +well as in-band-negotiated "STARTTLS" and "STLS" modes through the +regular protocol ports. + + +2. Problem description and Impact +================================= + +Fetchmail version 5.9.9 introduced STLS support for POP3, version +6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated +in-band SSL/TLS negotiation was not guarded by a timeout. + +Depending on the operating system defaults as to TCP stream keepalive +mode, fetchmail hangs in excess of one week after sending STARTTLS were +observed if the connection failed without notifying the operating +system, for instance, through network outages or hard server crashes. + +A malicious server that does not respond, at the network level, after +acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail +in this protocol state, and thus render fetchmail unable to complete the +poll, or proceed to the next server, effecting a denial of service. + +SSL-wrapped mode on dedicated ports was unaffected by this problem, so +can be used as a workaround. + + +3. Solution +=========== + +Install fetchmail 6.3.20 or newer after it will have become available. +(Note that the announcements may be publicly visible quite some time +before the release is made, particularly for minor bugs.) + +The fetchmail source code is always available from +<http://developer.berlios.de/project/showfiles.php?group_id=1824>. + +Distributors are encouraged to review the NEWS file and move forward to +6.3.20, rather than backport individual security fixes, because doing so +routinely misses other fixes crucial to fetchmail's proper operation, +for which no security announcements are issued. Several such +(long-standing) bugs were fixed through recent releases. + +Fetchmail 6.3.X releases have always been made with a focus on unchanged +user and program interfaces so as to avoid disruptions when upgrading +from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the +interface incompatibly. + +There will be NO SUPPORT FOR BACKPORTING bug fixes to older releases! + + +4. Workaround +============= + +A. If supported by the server's configuration, fetchmail can be run in +ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto +ssl3" option must be configured (possibly replacing sslproto tls1 where +configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on +the command line (where it applies to all poll configurations). + It is generally advisable to use --sslcertck to enable SSL +certificate validation. + +B. If the operating system supports setting all TCP sockets to keepalive +mode by default, and possibly lowering the delay until keepalive probes +start, enabling this configuration can protect against hangs through +silently broken connections, but not against a malicious server. + + +A. Copyright, License and Non-Warranty +====================================== + +(C) Copyright 2011 by Matthias Andree, <matthias.andree@gmx.de>. +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-Noncommercial-No Derivative Works 3.0 Germany License. +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to + +Creative Commons +171 Second Street +Suite 300 +SAN FRANCISCO, CALIFORNIA 94105 +USA + + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END of fetchmail-SA-2011-01 |