From 175b11ec729d4ea01eb523b02a407c1d180c5480 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 16 Nov 2006 07:30:25 +0000 Subject: Commit draft of fetchmail SA. svn path=/branches/BRANCH_6-3/; revision=4941 --- fetchmail-SA-2006-02.txt | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 fetchmail-SA-2006-02.txt diff --git a/fetchmail-SA-2006-02.txt b/fetchmail-SA-2006-02.txt new file mode 100644 index 00000000..9a8514a0 --- /dev/null +++ b/fetchmail-SA-2006-02.txt @@ -0,0 +1,90 @@ +fetchmail-SA-2006-02: TLS enforcement problem/MITM attack/password exposure + +Topics: fetchmail cannot enforce TLS + +Author: Matthias Andree +Version: 1.0 +Announced: 2006-11-XX +Type: secret information disclosure +Impact: fetchmail can expose cleartext password over unsecure link + fetchmail may not detect man in the middle attacks +Danger: medium +Credits: Isaac Wilcox (bug report, collaboration on fix) +CVE Name: CVE-2006-5867 +URL: http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt +Project URL: http://fetchmail.berlios.de/ + +Affects: fetchmail releases <= 6.3.5 + fetchmail release candidate 6.3.6-rc1 + +Not affected: fetchmail release candidate 6.3.6-rc2 + fetchmail release 6.3.6 + +Corrected: 2006-11-12 fetchmail 6.3.6-rc2 + + +0. Release history +================== + +2006-11-12 internal review draft + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP2, POP3, +IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. + +fetchmail ships with a graphical, Python/Tkinter based configuration +utility named "fetchmailconf" to help the user create configuration (run +control) files for fetchmail. + + +2. Problem description and Impact +================================= + +Fetchmail has no configuration facility to enforce TLS connections. +Configuring --sslproto 'tls1' does not cause connection aborts if TLS is +not offered or the TLS handshake fails for POP3 or IMAP. +Even if fetchmail is forced to validate an TLS certificate by means of +--sslfingerprint or --sslcertck, it may expose cleartext credentials +over an unencrypted connection. + +This can cause eavesdroppers to obtain the password without fetchmail's +noticing. + + +3. Workaround +============= + +Use fetchmail --ssl --sslcertck --sslproto ssl3 (or equivalent in the +run control file) if your upstream offers SSLv3-wrapped service on a +dedicated port. + + +4. Solution +=========== + +Download and install fetchmail 6.3.6 or a newer stable release from +fetchmail's project site at +. + + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2006 by Matthias Andree, . +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-NonCommercial-NoDerivs German License. To view a copy of +this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ +or send a letter to Creative Commons; 559 Nathan Abbott Way; +Stanford, California 94305; USA. + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END OF fetchmail-SA-2006-02.txt -- cgit v1.2.3